I would warn everyone that reads this to be very careful. When a domain is stolen, it's usually not used for "legit" purposes. Be very careful when visiting this site - use a patched browser, Java + Flash + Acrobat, etc., in case the new "owners" decide to stick an exploit kit here.
I cannot really recall that ever happening for, like, the last 10 years. I could see the case if they wanted to intercept mail or something, but then the administrator would notice quite fast what was going on (ie. not receive any mails...).
I see this all the time with Twitter. These days you don't even need to mirror the website; just run a proxy that edits the HTML on the fly. Of course, they just use existing malware to edit hosts file but easy to translate to simply stealing the domain.
Why would a mail interception not simply relay the mail back to the originally intended server (which, for obvious reasons, is happy to accept mail for the targetted domain)?
The point is very valid: someone who controls a domain can trivially MitM any communication with that domain over unencrypted HTTP. And given events of the past year, I wouldn't put it past them to be able to get a cert issued for the fraudulent domain too...
If he has control over the domain but not the server, it's man in the middle. He'd have to redirect the nameservers to a new server, which would either request html from the original server and add malware on the fly, or create a replica of the original site with extra added malware.
Either way, though, without the private key to the SSL certificate, which he won't have without the original server, he can't pretend to be the original site on the other end of an SSL connection.
It doesn't matter if he has the private keys of the original server. He can MITM it with a brand new fully authenticated official SSL cert because he now owns the domain.
Orig. Server <-- SSL --> MITM Server <-- SSL --> Client
The only thing that usually prevents this is that the MITM Server normally can't get an authenticated SSL cert for the domain and so the client can detect the fake cert.
If SSL worked like SSH then your browser would whine that the cert changed but the browsers currently don't do that. I think even convergence (http://convergence.io/) wouldn't detect this case because it looks to the outside world to be totally legit. Scary.
It also happened to mckmama.com (a crazy popular blog my wife follows who couldn't believe that domain hacking was even possible anymore.)
The more interesting aspect was that since mobile nameservers are slow to update, the site worked on her phone still. That lead to the lovely "Where does DNS come from" conversation we all have with our loved ones eventually:)
I thought something weird was going on since the sohtonaka.com domain is available when I checked at namecheap.com. Then I noticed that both the tweet and the above message misspell sohtonaka.com - it should be sohtanaka.com.
Judging from the comments on his website, it sounds like everybody and their grandma hates GoDaddy. I've recently been looking into getting a domain name and starting a website, can anyone point me towards a more reputable site to acquire a domain and host a site? (Yeah, I know, I read HN daily, and I'm still clueless when it comes to actually putting up a website)
NearlyFreeSpeech is wonderful. I drive people to them whenever I can.
Along with being trustworthy and protective of their customers, their web panel is simple and no BS. I don't know how people put up with other registrars with their upsell-threw-up-all-over-the-page web panels. Even "good" ones like NameCheap are eyesores.
I hope NFS never lets me down, because I talk them up like they walk on water.
I've used Dreamhost for years. They really work for their customers. Over time you accumulate points that you can use to vote for new features (which I just realized, I have never done... so I should have a decent amount by now!)
Dreamhost is definitely fantastic for customer support, but after a recent email exchange, I learned that they don't have a timeline for when they'll upgrade their password system, which does not use one-way hashes. Password reminder emails contain the password in plaintext. If you're reading this thread and are concerned about domain security, I'd suggest looking somewhere other than Dreamhost for the time being.
I just recently found out that dream host stores it's passwords in plaintext! I'll probably be looking to transfer away from this simply for that reason. If you haven't set your panel security to use email confirmation to let new IP addresses log in, I would strongly recommend it.
Just to throw in a slightly differing opinion: I've been with Namecheap more than five years, and overall I've been very satisfied with them. However, I have had a couple of minor issues. Most recently, when making a minor change their support messed up something with my domain. They were slow to respond to my request that they fix it, and seemed far too confused about what was going on. The domain in question wasn't important to me, but if it had been I'd have been pretty pissed.
(Not to beat a dead horse, but back when we could see the karma numbers for comments, it was possible to visibly "second" an endorsement comment by upvoting it, instead of posting separate +1 comments like this one ...)
Another vote for NameCheap. And to make this comment more useful...
I especially love how easy it is to transfer domain names between NameCheap users. I had purchased a domain name once with my personal account. Then I created a company and wanted the domain to be officially owned by that entity and not me. So I created another NameCheap account for that company, then transferred it over very easily.
Of course, it's possible other registrars offer such a frictionless transfer process between account holders too. I've only used NameCheap for this and can say I was pleased with the results.
Seconding the recommendation for gandi. They have very strong policies in favor of the domain owner. They also provide nice services such as email hosting for your domain. I use their server hosting as well, which works quite well, though not fast.
One flaw with Gandi's mail feature is that new accounts do not get wildcard accounts (forward all @example.com mail to.one address): you need to register each email address you want individually. Apparently they couldn't handle spam filtering.
I love EasyDNS for domain hosting. I can't quite bring myself to use the same company for DNS hosting and registration; I've used Dotster as a registrar since the 90's.
You couldn't pay me to use huge, inept outfits like GoDaddy or Dreamhost who compete primarily on price. I have a similar, though evidence-free aversion to companies which put words like "cheap" in their name.
One thing to note about EasyDNS is that last I checked, glue updates require human intervention, and IPv6 glue is a good way to confuse the humans on the other side of the support channel. If you don't use glueful delegations, then you probably don't care, but this is the sort of thing that's harder to tell upfront.
Thought I'd mention softsyshosting.com. I've used them for a small IIS website, dataintegrationagent.com. Site setup was easier, and quicker than godaddy.com. They were also quick to answer my questions. I found that it was pretty difficult to find a place to host IIS websites, and I really recommend softsyshosting if your planing on using anything IIS related.
1and1 might not be popular here, but they're pretty cheap ($8.99 for .com), they have sales regularly and they throw in private whois info for free, plus your domain is locked down by default so the sort of thing described in the OP shouldn't happen.
I've used them and didn't have a problem until I wanted to transfer to another domain registar. After painfully trying to find the transfer auth code and transferring the domain name, 1and1 continued to bill me for a couple of months. To their credit, they reversed the charges after I called them - but that didn't leave me with a satisfactory experience.
I can understand why a company might want to make it painful to leave their service, but continuing to bill me points to either incompetence (some bugs in their billing system) or a malicious act (doubt it though).
One problem with 1and1 is that when your domains are about to be autorenewed, you don't get an email notification till the day of. I prefer registrars that give a few weeks heads up on that so I can cancel the autorenew if I want to let the domain expire (even GoDaddy gives advance notice).
1and1 is a terrible. Please do not listen to individual accounts of 'no problems'. If you do have a problem, you will be in trouble. 1and1 is a giant company that makes money by quantity, not quality. In other words, the majority will have no problem, so let's have millions of customers and screw those that have problems. Again, there's too many other good companies to use such a crappy company.
I've tried a few, have to recommend internetbs.net
The website might seem pretty crappy, but they have really good customer support, plus the best API I've found. If you're looking to register domain names programmatically, definitely check them out.
I used name.com for a website once. I used them for my DNS also (because I don't know how to set up a separate DNS) and they parked there own auto-generated crap at everything except the www subdomain. Apparently, if you are savvy enough to set up your own DNS this isn't a problem, but I wouldn't use them because of this.
Wow, that's pretty evil. I definitely won't be using name.com (I've been happy with Dreamhost as a registrar for years anyway, but would be interested in trying someone else in the future). Thanks for the heads up.
So, if a user came and visited my site, which was www.zideck.com (It's not there any more), they would see my web page. If they were to visit http://zideck.com they would see auto generated spam garbage that said stuff like "What you need, when you need it." In fact, ANY subdomain would result in link spam trash.
Thanks for the tip on setting up DNS. If I create a rackspace cloud server, I imagine there is something special I have to do to make it a DNS server, right? Does it just work straight out of the box?
Yes, and be aware the operation of a lot of ccTLD's are outsourced to companies outside the country in question.
I don't know that much about how many are or aren't operated out of the US, but most of the generic TLD's are, and several ccTLD's definitively are too - for example .tv and .cc are operated by Verisign, and .co is operated by Neustar.
As anyone has said elsewhere in this thread, all they are doing is strongarming the administrators of the TLDs that operate primary offices inside the USA to alter the DNS entries for specified domains they feel are being used to break the law, because that is their jurisdiction, and prevent the owner from being able to change it back.
One of the more controversial parts of SOPA is the ability of ICE/Customs to be able to "un-resolve" domain names under other TLDs and country codes. Since the USA does not have jurisdiction over Russia (as an example), there is no current way to block a filesharing or spammer operating with a .ru address without having a partnership with Russia. This aspect of SOPA would allow the USA Government to block all domain name servers from resolving that address properly, by basically poisoning the legitimate DNS entry with one that resolves to some landing page operated by ICE. They won't be able to seize the domain, but they'll make it just as worthless to anyone inside the USA.
The only way the domain would be able to be moved from Go Daddy would be if the person stealing the name had access to the account, that's the only way to request the transfer authorization / epp code. Their support requires either a pin or last 6 of a CC used on the account to validate callers, if you can provide that they'll update the email on file and help reset the password, but he said his account email is unchanged. So the person taking the name would either have to know the account password, or have access to the email address on file where the reset requests are sent.
Given that this would have to happen from inside the customer account, I can understand why Go Daddy would want to confirm that this was indeed a nefarious act and not something like a domain being sold, transferred, then reported stolen to keep the cash and get the domain back. Or any number of other scenarios one might think of - shady domain stuff happens a lot. I can only imagine the hoops required to jump through for a registrar to get a domain back from another registrar under these circumstances.
"The only way the domain would be able to be moved"
Not sure that's the only way. That's like saying the only way you could get credit card information from Sony's playstation servers was if you worked in Sony's billing department.
Not saying this is necessarily a hack, as it most likely is insecure practices on the part of the user, be it passwords or phishing. But seeing a cluster of them raises some concerns that it could be some otherwise unknown method.
There are a lot of posts blaming GoDaddy. Did anyone read the post by David Airey, linked in the article? The reason for his lost domain was that his Gmail account was hacked. The attacker performed a "legit" domain transfer through his registrar. It wasn't the registrar's fault, in this case. The only blame you could place was that perhaps the registrar didn't have enough security check points.
GoDaddy is certainly annoying with their obnoxious web site and sometimes, their tactics, but this could be another email-hijack attack.
The recommended way is to use the Google Authenticator app - available on Android, iOS, and BlackBerry devices - doesn't require an Internet connection, mobile service, or a data plan to generate verification codes.
Also, you should NOT have Gmail open while surfing the web. I won't even visit a link emailed to me directly. I'm either reading email or surfing, but never both; all private data gets wiped between sessions. Sure, it's a bit paranoid, but it eliminates quite a few attacks and opportunities for social engineering.
Perhaps it is domain registrars that need to implement two-step verification before transfers. It would be such a labour-saving move, and potentially safe so much time resolving disputes. Just offer people to "lock" their domains to be unlocked with a mobile phone number.