I would warn everyone that reads this to be very careful. When a domain is stolen, it's usually not used for "legit" purposes. Be very careful when visiting this site - use a patched browser, Java + Flash + Acrobat, etc., in case the new "owners" decide to stick an exploit kit here.
I cannot really recall that ever happening for, like, the last 10 years. I could see the case if they wanted to intercept mail or something, but then the administrator would notice quite fast what was going on (ie. not receive any mails...).
I see this all the time with Twitter. These days you don't even need to mirror the website; just run a proxy that edits the HTML on the fly. Of course, they just use existing malware to edit hosts file but easy to translate to simply stealing the domain.
Why would a mail interception not simply relay the mail back to the originally intended server (which, for obvious reasons, is happy to accept mail for the targetted domain)?
The point is very valid: someone who controls a domain can trivially MitM any communication with that domain over unencrypted HTTP. And given events of the past year, I wouldn't put it past them to be able to get a cert issued for the fraudulent domain too...
If he has control over the domain but not the server, it's man in the middle. He'd have to redirect the nameservers to a new server, which would either request html from the original server and add malware on the fly, or create a replica of the original site with extra added malware.
Either way, though, without the private key to the SSL certificate, which he won't have without the original server, he can't pretend to be the original site on the other end of an SSL connection.
It doesn't matter if he has the private keys of the original server. He can MITM it with a brand new fully authenticated official SSL cert because he now owns the domain.
Orig. Server <-- SSL --> MITM Server <-- SSL --> Client
The only thing that usually prevents this is that the MITM Server normally can't get an authenticated SSL cert for the domain and so the client can detect the fake cert.
If SSL worked like SSH then your browser would whine that the cert changed but the browsers currently don't do that. I think even convergence (http://convergence.io/) wouldn't detect this case because it looks to the outside world to be totally legit. Scary.
This makes me worry about my own domains. I have about 180 domains with GoDaddy (all registered for various projects -- I'm not a squatter). I wish there were a tool that would verify that they're all still registered under my account at GoDaddy. Especially since the "new owners" seem to keep DNS records the same.
I transferred all my domains to moniker.com and have an account rep that calls me if any odd activity occurs. I doubt this would happen with them. They allow you to lock down your domains so that it requires offline authentication to move them. Been with Moniker for 4+ years.
Problem with moniker is poor security, they have no protection against bruteforcing. You can endlessly try to login to an account, which isn't necessarily a problem for people with a secure password but it does open up my own concerns about poor security elsewhere...
"all registered for various projects -- I'm not a squatter"
One of the reasons domain prices are low is that people register domains they are not using.
Just like they buy books they don't read. Or buy jewelry they don't wear. (And yes bring on all the replies about the differences that you want but keep in mind the time you picked up the last item on the shelf at the drug store that maybe someone else had a greater need for down the road. Or took the last seat on an airplane.)
No problem with buying domains and letting them sit there until you decide what to do. No problem buying domains that you think you could sell either, in general. As much as this might piss people off who feel the domain should just be there ready when they want it.
Squatting would be registering a domain that specifically (edit: and reasonably) belongs to someone else. Say you hear the local pizzeria opening is called "xyz pizza" and you register "xyzpizza.com". Despite what the media and all the typical articles say about this.
By the way when you say "all registered for various purposes" there is no qualification about what the purpose is so essentially some people would define you as a squatter depending upon the way they see this issue.
I think the accepted definition of a domain squatter is someone who registers domains with the intent of flipping them for a profit. This is more broad than "specifically and reasonably belongs to someone else" since you could merely be speculating that someone, at some point in the near future, might want to open a shop called "XYZ pizza", but still doesn't include pud.
Legally that may be what domain squatting is. However, colloquially, domain squatting means registering domains that you don't use just so you can sell them again for profit. While there may be no legal recourse against such domain squatters, most people would still consider it domain squatting and ethically dubious.
i fail to see the ethical dubiousness, though. people who can afford to buy land they don't build on are (in most cases) not doing anything unethical. for lots of arbitrary reasons domains are a limited resource. that could change but as it is, domains are like NYC cab medallions. there could be a very legitimate argument that they shouldn't be so scarce, but they are, and owning one is a good, somewhat risky investment. i don't see the difference between owning any of these limited resources with the goal being future sale and profit.
Most types of investments are either beneficial somehow to the market or economy - investing in the stock market is said to promote liquidity - or at least neutral. Domain squatting benefits only ICANN, and on the other hand is actively harmful to people trying to do interesting things with domain names.
"colloquially, domain squatting means registering domains that you don't use just so you can sell them again for profit."
I agree that you are right with that statement. I don't agree that people are well informed about this enough to know that that the statement is wrong.
That belief is something that comes from the days of a few bad actors (panavision and mtv domains come to mind and some others) that made the practice which is now called cybersquatting what it is instead of what it should be based on. And by the way even the current definition was shaped by Intellectual property lawyers as a totally one sided law brought about to protect the interests of a certain class of owners. (As was UDRP process for that matter).
But yes that is the uninformed view of most people. Just like many ordinary people associate the word "hacker" with "bad" and not "good".
As has been pointed in another reply, people buy things all the time with the intent to profit from the sale of which they do not use. Since the beginning of time this has not been a bad thing. And why should it be? (Not to mention the fact that there are alternative TLD's it just happens to be that .com is the ubiquitous one.)
It is generally considered a bad thing to buy things that you don't intend to use, add no value, and sell them at a markup merely due to the fact that they are scarce (artificially, because you bought so many and are controlling the market).
It is considered to be good to buy things that you don't intend to use to resell them if you are adding some kind of value in the reselling; for instance, people who have a local retail store, who are adding the value of being close and convenient, rather than having to go all the way to the producer.
Domain squatters are adding no value. If you just buy a whole ton of domains speculatively, and then sell them off at high markup because so many domains are gone that it's impossible to find good ones, you are adding no value, you are only taking advantage of an artificial scarcity for your own profit.
We have plenty of other negative words for this kind of behavior in other domains. Ever heard of a scalper? There is really no significant difference between a domain squatter and a scalper; they are just people who induce artificial scarcity and use that to run a profit without actually adding any real value.
Since practically there are a finite number of domain names available, wouldn't every registration increase the scarcity in the market, and thus raise prices?
At least in my own experiences, I've never seen a domain sold by a private party for less than 5x the typical price from a registrar. This would raise the average price of domains, not lower them as you suggest.
It has definitely raised prices for a name that would be known in advance to be valuable. No question there. But the increase in number of people registering multiple names has supported a reduction in price.
The actual number of names, (not taking into account putting a dash in one or more places and the fact that there are only a few 1 letter names that aren't blocked and some other stuff) is approx 26 to the 63rd power.
While that's finite it still a huge number of possibilities. (Like ipv6)
I have in my hand an invoice dated 1999 (my earliest domain was '96) and the charge is $70 (for two years). Before that if my memory is correct the price was $100 for two years. Before that the price was 0 (yes 0 when there were so few takers).
It's a little chicken and egg but the fact that a high volume registrar (like godaddy) registers so many domains allows them to make so little per domain. (Actually that's not entirely true they also make money by selling you things you don't need but that's a entire separate subject.)
So the bottom line is this. If you look at the registration activity speculators and non users of domains drive up registration volume greatly. But of the names they register, only a small percentage of those have anyone interested in buying at any price. So in the end the fact that they do what they do drives prices down for everyone.
Edit: Although I agree that's little consolation if they have the domain you want. But there is certainly no guarantee that the name you want wouldn't have been grabbed by someone before you anyway, right? (See woodrich.com below)
For example, the following are all available at a low low price:
pud, we've talked domains before, through a mutual friend Jay W. Anyway, call Godaddy and ask them for an executive lock on all your domains. Also ask for an executive account rep.
Once you have both of those, Godaddy actually calls you and your rep will request a pin number of you. Your names will only move if you give them permission to move. Other registrars have this level of security too. Hit me up if you want a referral to a good rep over there.
Quantcast uses MarkMonitor . I bet it's expensive, and I have no idea how expensive, but you can configure your domain such that changing any registration information requires a phone call to a short list of people (ie CEO, CTO, or head sysadmin) and security codes. If your domain is important, it might be worth it.
Also, godaddy just got private-equitied, so it's going to be extra shit as they ruin the company, pay themselves an enormous fee, and sell it to the next greater fools .
It also happened to mckmama.com (a crazy popular blog my wife follows who couldn't believe that domain hacking was even possible anymore.)
The more interesting aspect was that since mobile nameservers are slow to update, the site worked on her phone still. That lead to the lovely "Where does DNS come from" conversation we all have with our loved ones eventually:)
I thought something weird was going on since the sohtonaka.com domain is available when I checked at namecheap.com. Then I noticed that both the tweet and the above message misspell sohtonaka.com - it should be sohtanaka.com.
The only way the domain would be able to be moved from Go Daddy would be if the person stealing the name had access to the account, that's the only way to request the transfer authorization / epp code. Their support requires either a pin or last 6 of a CC used on the account to validate callers, if you can provide that they'll update the email on file and help reset the password, but he said his account email is unchanged. So the person taking the name would either have to know the account password, or have access to the email address on file where the reset requests are sent.
Given that this would have to happen from inside the customer account, I can understand why Go Daddy would want to confirm that this was indeed a nefarious act and not something like a domain being sold, transferred, then reported stolen to keep the cash and get the domain back. Or any number of other scenarios one might think of - shady domain stuff happens a lot. I can only imagine the hoops required to jump through for a registrar to get a domain back from another registrar under these circumstances.
"The only way the domain would be able to be moved"
Not sure that's the only way. That's like saying the only way you could get credit card information from Sony's playstation servers was if you worked in Sony's billing department.
Not saying this is necessarily a hack, as it most likely is insecure practices on the part of the user, be it passwords or phishing. But seeing a cluster of them raises some concerns that it could be some otherwise unknown method.
Why is all the blame being put on GoDaddy here? The problem is that his email account was compromised. Once that happens, it's game over. Everything online linked to that account is likely up for grabs at that point.
Use two-factor auth on your Google accounts, people.
Two factor auth? You just go into your account settings, elect to turn it on, it'll have you install the Google Auth app on your phone and scan a QR code, which configures the app. Then, when you try to log into your account next, it'll ask for the code generated by the app.
The authenticator itself is just HMAC-OTP with the seed as the current time quantitized to 30-second intervals. Very straightforward.
Judging from the comments on his website, it sounds like everybody and their grandma hates GoDaddy. I've recently been looking into getting a domain name and starting a website, can anyone point me towards a more reputable site to acquire a domain and host a site? (Yeah, I know, I read HN daily, and I'm still clueless when it comes to actually putting up a website)
NearlyFreeSpeech is wonderful. I drive people to them whenever I can.
Along with being trustworthy and protective of their customers, their web panel is simple and no BS. I don't know how people put up with other registrars with their upsell-threw-up-all-over-the-page web panels. Even "good" ones like NameCheap are eyesores.
I hope NFS never lets me down, because I talk them up like they walk on water.
Just to throw in a slightly differing opinion: I've been with Namecheap more than five years, and overall I've been very satisfied with them. However, I have had a couple of minor issues. Most recently, when making a minor change their support messed up something with my domain. They were slow to respond to my request that they fix it, and seemed far too confused about what was going on. The domain in question wasn't important to me, but if it had been I'd have been pretty pissed.
(Not to beat a dead horse, but back when we could see the karma numbers for comments, it was possible to visibly "second" an endorsement comment by upvoting it, instead of posting separate +1 comments like this one ...)
Another vote for NameCheap. And to make this comment more useful...
I especially love how easy it is to transfer domain names between NameCheap users. I had purchased a domain name once with my personal account. Then I created a company and wanted the domain to be officially owned by that entity and not me. So I created another NameCheap account for that company, then transferred it over very easily.
Of course, it's possible other registrars offer such a frictionless transfer process between account holders too. I've only used NameCheap for this and can say I was pleased with the results.
I've used Dreamhost for years. They really work for their customers. Over time you accumulate points that you can use to vote for new features (which I just realized, I have never done... so I should have a decent amount by now!)
Dreamhost is definitely fantastic for customer support, but after a recent email exchange, I learned that they don't have a timeline for when they'll upgrade their password system, which does not use one-way hashes. Password reminder emails contain the password in plaintext. If you're reading this thread and are concerned about domain security, I'd suggest looking somewhere other than Dreamhost for the time being.
I just recently found out that dream host stores it's passwords in plaintext! I'll probably be looking to transfer away from this simply for that reason. If you haven't set your panel security to use email confirmation to let new IP addresses log in, I would strongly recommend it.
Seconding the recommendation for gandi. They have very strong policies in favor of the domain owner. They also provide nice services such as email hosting for your domain. I use their server hosting as well, which works quite well, though not fast.
One flaw with Gandi's mail feature is that new accounts do not get wildcard accounts (forward all @example.com mail to.one address): you need to register each email address you want individually. Apparently they couldn't handle spam filtering.
1and1 might not be popular here, but they're pretty cheap ($8.99 for .com), they have sales regularly and they throw in private whois info for free, plus your domain is locked down by default so the sort of thing described in the OP shouldn't happen.
I've used them and didn't have a problem until I wanted to transfer to another domain registar. After painfully trying to find the transfer auth code and transferring the domain name, 1and1 continued to bill me for a couple of months. To their credit, they reversed the charges after I called them - but that didn't leave me with a satisfactory experience.
I can understand why a company might want to make it painful to leave their service, but continuing to bill me points to either incompetence (some bugs in their billing system) or a malicious act (doubt it though).
One problem with 1and1 is that when your domains are about to be autorenewed, you don't get an email notification till the day of. I prefer registrars that give a few weeks heads up on that so I can cancel the autorenew if I want to let the domain expire (even GoDaddy gives advance notice).
1and1 is a terrible. Please do not listen to individual accounts of 'no problems'. If you do have a problem, you will be in trouble. 1and1 is a giant company that makes money by quantity, not quality. In other words, the majority will have no problem, so let's have millions of customers and screw those that have problems. Again, there's too many other good companies to use such a crappy company.
I love EasyDNS for domain hosting. I can't quite bring myself to use the same company for DNS hosting and registration; I've used Dotster as a registrar since the 90's.
You couldn't pay me to use huge, inept outfits like GoDaddy or Dreamhost who compete primarily on price. I have a similar, though evidence-free aversion to companies which put words like "cheap" in their name.
One thing to note about EasyDNS is that last I checked, glue updates require human intervention, and IPv6 glue is a good way to confuse the humans on the other side of the support channel. If you don't use glueful delegations, then you probably don't care, but this is the sort of thing that's harder to tell upfront.
Thought I'd mention softsyshosting.com. I've used them for a small IIS website, dataintegrationagent.com. Site setup was easier, and quicker than godaddy.com. They were also quick to answer my questions. I found that it was pretty difficult to find a place to host IIS websites, and I really recommend softsyshosting if your planing on using anything IIS related.
I've tried a few, have to recommend internetbs.net
The website might seem pretty crappy, but they have really good customer support, plus the best API I've found. If you're looking to register domain names programmatically, definitely check them out.
I used name.com for a website once. I used them for my DNS also (because I don't know how to set up a separate DNS) and they parked there own auto-generated crap at everything except the www subdomain. Apparently, if you are savvy enough to set up your own DNS this isn't a problem, but I wouldn't use them because of this.
So, if a user came and visited my site, which was www.zideck.com (It's not there any more), they would see my web page. If they were to visit http://zideck.com they would see auto generated spam garbage that said stuff like "What you need, when you need it." In fact, ANY subdomain would result in link spam trash.
Thanks for the tip on setting up DNS. If I create a rackspace cloud server, I imagine there is something special I have to do to make it a DNS server, right? Does it just work straight out of the box?
Wow, that's pretty evil. I definitely won't be using name.com (I've been happy with Dreamhost as a registrar for years anyway, but would be interested in trying someone else in the future). Thanks for the heads up.
Yes, and be aware the operation of a lot of ccTLD's are outsourced to companies outside the country in question.
I don't know that much about how many are or aren't operated out of the US, but most of the generic TLD's are, and several ccTLD's definitively are too - for example .tv and .cc are operated by Verisign, and .co is operated by Neustar.
As anyone has said elsewhere in this thread, all they are doing is strongarming the administrators of the TLDs that operate primary offices inside the USA to alter the DNS entries for specified domains they feel are being used to break the law, because that is their jurisdiction, and prevent the owner from being able to change it back.
One of the more controversial parts of SOPA is the ability of ICE/Customs to be able to "un-resolve" domain names under other TLDs and country codes. Since the USA does not have jurisdiction over Russia (as an example), there is no current way to block a filesharing or spammer operating with a .ru address without having a partnership with Russia. This aspect of SOPA would allow the USA Government to block all domain name servers from resolving that address properly, by basically poisoning the legitimate DNS entry with one that resolves to some landing page operated by ICE. They won't be able to seize the domain, but they'll make it just as worthless to anyone inside the USA.