Hacker News new | comments | show | ask | jobs | submit login
Securing Your Domain Against Seizure: Where Is Safe to Register a Domain Name? (gun.io)
202 points by Mizza 1632 days ago | hide | past | web | 74 comments | favorite

UAE and Palestine? Seriously? UAE has a questionable track record insofar as journalistic freedom is concerned. It ranks #112, below Liberia and South Sudan, in RSF's Press Freedom Index. What if one of the Emirs is offended by what I post on the site? Palestine ranks #153, not to mention you'd have to take Israel into consideration when you do anything Palestine-related.

Gandi.net is an excellent registrar, but I'm not sure about them anymore since they now operate in the UK and US as well. They even have a US-incorporated subsidiary.

Agree. And all of this is ridiculous anyway. A non-issue for the vast majority of startups who want to do something in the US. Think you're going to get funding and grow your company with a foreign TLD doing something that the US government might disapprove of?

Not to mention the fact that the entire OP is based on the way things are TODAY and that assumes it's even accurate. Which of course it's not (just taking your comment as one of many which makes an important point about UAE.)

Most importantly things in the political world can change overnight.

.ch is Switzerland which is great everybody thinks. Guess what? Check out the way the Swiss caved into US demands on revealing those keeping money in swiss bank accounts. Those accounts were secret for a very long time. Then that changed.


> Think you're going to get funding and grow your company with a foreign TLD doing something that the US government might disapprove of?

The web's biggest sites right now (e.g. YouTube and Facebook) are doing things the U.S. government doesn't approve of. They haven't been shut down ... yet ... but Megaupload has, and what's the functional difference between what Megaupload does and what YouTube does?

My point is just that the way the U.S. gov't is going, no decent web application is safe from being taken down. Anything with user-generated content is basically wide open for seizure.

What makes you think the US government doesn't approve of Facebook? Facebook is a gold mine for agencies that specialize in surveillance. Yeah, people sometimes organize protests on Facebook, but the Feds would probably much prefer them to be organized on Facebook than, let's say, on an encrypted foreign website that is more difficult to monitor. Or even Twitter, where people don't post nearly as much personal information as they do on Facebook.

> but Megaupload has, and what's the functional difference between what Megaupload does and what YouTube does?

The difference, at an organisational level, is that MegaUpload is run by a very small team and is "foreign". Google/YouTube, on the other hand, is an American company employing a number of Americans.

The majority of voters probably care little about MegaUpload (even if they should care). But you can be sure they'd care if YouTube was shut down/the domain seized.

What you said reminded me of an old saying. It goes something like this.

"If you owe the bank $10,000 and can't pay you have a problem. If you owe the bank $100,000,000 and can't pay the bank has a problem".

Size matters.

Yes, exactly.

What this means functionally is that small startups who do the exact same thing as the industry giants will be the ones targeted and shut down. The logical conclusion is that, if you want to start a web application, it might be worth it to found and host your company outside the US.

>Agree. And all of this is ridiculous anyway. A non-issue for the vast majority of startups who want to do something in the US. Think you're going to get funding and grow your company with a foreign TLD doing something that the US government might disapprove of?

You probably still want to check out your registrars reputation (and put valid info in the whois.) If your registrar has a 'shoot first and ask questions later' attitude, well, you are a lot more screwed than if, say, your web hosting provider is the same.

I mean, the article focuses on choosing your registry, but the registrar is the first point of contact for anyone trying to shut you down. Last time I looked (a few years back) to set up a registrar, you needed to pay a couple kilobucks annually to the registry, plus an additional $6.25 for every .com address you register... every year. With those kinds of costs, and the under $10/year price expectation of consumers, it doesn't take many complaints before what you have to pay humans to read them exceeds the amount of profit you could hope to derive from the customer. Reputation is the only motivation that business would have to do anything besides ignore the complaints until they could not be ignored any more, and then shut down the domain.

And valid contact info is important. You want people to complain to you, not your provider. Most of the time, the powers that be won't move without warning. I mean, yeah, depending on what you are doing, being contactable might not help and might even hurt, but for most things that are at least semi-legitimate, and certainly for anything you want to get venture funding for, being contactable helps a lot.

On that note, if you have /any/ user generated content of any type, pay your hundred bucks and get on the US 'Directory of Service Provider Agents for Notification of Claims of Infringement'

I mean none of this helps if the feds are really after you. But really, I don't know what would, in that case. Best you can hope for is to clear things up so that in the borderline cases they send you scary lawyer letters rather than shutting you down.

I thought the same thing initially, but that's what the person I was interview said. He is the most knowledgeable person I have ever talked to about this sort of thing, as he provides administration services to many, many TLDs: http://www.pch.net/technology/anycast.php

Is .io secure from seizure?

Important considerations. Let's not forget the vb.ly debacle, in which Violet Blue's adult link shortener was turned off by the Libyan government. http://techyum.com/2010/10/official-vb-ly-link-shortener-sei...

I take issue with the author's criticism of .is. They've recently told most of the world to go fuck themselves, and one of their members of parliament is a Wikileaks spokesperson. I'm thinking they're pretty pro-freedom.

As an Irish citizen I must admit I'm a little envious of how Iceland has faced down the rest of the world, even if I don't agree 100% with what they did. I think the authors criticism is primarily an economic one. Like Ireland, Iceland is economically weak and can't afford to annoy major trade partners. Would the government concede certain things if subtly threatened with sanctions, even unofficial ones, over IP etc? Maybe, maybe not. Ireland certainly would fold immediately.

They didnt fold when the EU tried to get them to increase tax rates on companies like Google and Intel though did they.


I believe he meant that despite their intentions their size and precarious economic state leaves them open to pressure relative to countries of similar cultural values.

I'm not so sure how relevant the economic strength of a nation is in this decision.

It was not that long ago that Ireland was seen as a booming example of economic growth. In a relatively short term that boom has turned sour.

The selection of a domain name is an integral part of your brand and that is LONG term.

Therefore short term fluctuations in economic success should play a muted part in your domain name decision.

The bottom line here is that the direct US controlled TLDs of .com, .net and .org are now slowly becoming poisonous in the branding decision for any company that may risk annoying the RIAA or MPAA with their new "fangled" business model that disrupts the existing media space or their profit margin (or perceived profit margin) in any way.

The US is shooting itself in foot, but personally I find that a good thing. I see this as a great step in reducing the prominence (and worth) of the core TLDs and ICANN.

I find it quite interesting that when it comes to .com names in particular we are coming towards a point where the saturation is so great, there are no viable domains left. Since land is not ubiquitous, saturation means that you are limited to trading those existing properties only, whilst with domain names, we can create a new TLD and start over again. It is like being able to create new land.

As a further analogy, we discover a new M class planet and some of us brave new worlders start moving there. Everyone living on Earth things we are mad (wtf, they have no Starbucks), but who cares right, we have a virgin planet to discover and plenty of new land to stake our claim upon. We get to choose the best bits of land for ourselves before all those Earthlings get fed up of living in their over-populated land and jump on star ships to join us.

The top comment from this thread a while back also suggested .is as a good options: http://news.ycombinator.com/item?id=2451783

An .is domain is ISK 6.982 a year, or $55.9 (ish)

It's not the cheapest option but it's not too pricey either.

You also get to run your servers off volcanic activity, which is pretty cool and ideal for any aspiring Blofeld, although it does sound potentially risky.

Pie in the sky here, but I never understood why we didn't just drill big holes in the sides of volcanoes, drop a boiler in it, and stick a turbine on top with a radiator/condenser outside. Seems like a pretty easy source of "free" electricity.

Too high risk, and too costly, but mostly a huge risk. It may triggered an unwanted uncontrolled eruption. Which may destroy the local area, grind European flights to halt, cause global cooling, kill all life... etc.

Also that boiler you want to stick in, will need to be made of some exceptional heat resistant material. And probably be replaced very frequently. Not very easy and very expensive. :)

But Iceland do have a lot of geothermal steam based generators.

I think the article forgot its own criteria half way through...

> Countries with military mutual defense agreements (NATO, etc).

And then he continues to name both Sweden and Norway...Norway is a NATO-member (though not part of the EU, just the EEA), and while Sweden is not a NATO-member, it is an EU member state, which means it is involved in EU-defence just as well...(and even though Iceland's economy has recovered well, they are also a NATO-member) Norway is definitely not militarily neutral, since they have troops in Afghanistan.

He also doesn't give a definition for what a "small"-sized or a "medium"-sized country is...

[edited for clarity/spelling]

Yes, I would not have thought countries gets much smaller than Iceland! :)

Small countries are a poor choice for many reasons, not least because too much can change too quickly and it does not require much capital (monetary or political) to capture such a state. Though, obviously, they can be useful for redundancy.

That said, it could be the author meant the list more as optimization criteria rather than a firm checklist. In which case, both the strongly-independently wealthy Norway and the politically liberal and neutral Sweden, are not bad choices.

Oh, I agree, it's not so much that either country is a bad choice per se. And pointing out that a country subject to various bilateral treaties might provide problems down the road is also fair.

Just thought i'd point it out for those that might not know about their degree of international collaboration.

However, especially Sweden is ambiguous at best in my opinion, given their recently enacted strong wiretapping laws. They might not be a problem yet, but they provide the basis for future trouble.

I disagree with the .sg suggestion too. Singapore is an ACTA signatory and the government is in discussions with the MPAA for tougher IP legislation (http://www.channelnewsasia.com/stories/singaporelocalnews/vi...).

Not to mention it's a "small" country (you can't get much smaller than an island)

Agreed, the author is clearly unfamiliar with Singapore - it's a highly authoritarian country.

How about .eu? An obvious choice for any European company planning to expand beyond national borders.

EURid European Registry for Internet Domains) is a non-profit organisation established by the European Commission is a consortium of three European ccTLD operators: DNS Belgium (.be), IIT-CNR (.it) and NIC-SE (.se).

Am I missing something?

Lots of online poker sites have been switching to .eu

I think a distributed .alt where people can have a "backup" of their domain would be nice. gun.io with gun.io.alt running concurrently on the distributed system. It would be a nice reference to the alt.* Usenet split in response to attempts to control it. The underlying technology and how to arrange it is another question though. Edit: Mcantelon's reference elsewhere in the thread to namecoin looks like a good start http://dot-bit.org/Main_Page


It took over a decade to get everyone on the same page re: IPv6, and everybody WANTS that. Be realistic. It ain't gonna happen, ever.

The tech is largely a solved problem, also one can download the zone-files[1] to seed/sync the new system.

The real problem is the chicken/egg one, this is where all past attempts towards an alternate DNS have failed.

[1] http://www.premiumdrops.com/zones.html

Speaking of gandi, a while ago, I ran into some problems logging in to their site, and I—finally—got this response from them by e-mail:

    Hello again pessimism,
    Our password field supports only passwords up to 16
    characters at this time. All longer passwords
    are truncated.
    If you have any further questions, please let me know.
    Tier 1 Tech Support
    Gandi US
I checked in with @theharmonyguy who says this is a pretty bad thing, and I originally intended to do an Ask/Tell HN post about it, but life got in the way.

What are your thoughts on this and its implications for using gandi?

Good find. I use Gandi for some domains, and was curious how they truncate passwords (wtf?) so I tested it by creating a new account with a spare gmail address. The registration page says your pwd must be between 6 and 16 characters, so I tested what happens if you register with a pwd > 16 chars.

I registered the 26 letters of the alphabet for my password, and then tested re-logging in with the full 26 char version, the 26 char version + 1 char (a), the first 17 characters, the first 16 chars, and the first 15 characters.






None but the original 26 character password worked, so apparently they don't truncate passwords at all, they're probably just hashing it down to 16 characters or whatever in the database, then comparing hashes on login attempt.

Their support guy is just playing fast and loose with the word truncate.

The worrying thing about that limit isn't the limit itself, but whatever process they are using to process passwords that imposes that limit.

I mean, if they're hashing the password as they should, why the limit? It's stored as fixed length string anyway...

Speaking of their support, I can see why some people were avoiding Gandi because of it. I'm trying to transfer a domain (from SWITCH, no less) and am having issues. I emailed them a week and a half ago and heard back the next day saying they were looking into it. Still nothing, so I sent another support email two days ago and haven't heard anything.

They have the most TLD offerings of any registrar I've seen (sans Go Daddy) so I'd hate to move away from them because of support issues, but I'm starting to understand the complaints I've read.

Their customer is abysmal. They never respond on Twitter—fair enough, other registrars do, though—and it took four days to get a response to why I couldn’t log in. I even had to go through weird escalations to higher “tiers” of support.

If someone knows a good non-American registrar with a wide selection of domains who also has two-factor authentication like Name.com, please let me know. Until then, I’ll probably just postpone the domain purchases.

If you just use A-Z, a-z, 0-9, you have a password space containing a little over 95 bits of entropy (log2(62^16)). A randomly chosen password should be reasonably secure against most attacks.

123-reg in the UK go one better. Passwords on there have to be eight characters long. No more, no less, exactly eight characters. I couldn't believe it when I saw it.

Interesting article.

Shame he did not cover or mention directly the highly popular .EU domain which has no particularly strong requirements.

While individual EU countries may fall under the NATO/ECHELON agreements under varying degrees of importance (Germany for example it is likely highly irrelevant), internet infrastructure tend to be well-protected at the EU level.

If you look at this as an uptime issue, it has the same answer as any other uptime issue. Redundancy.

A single server isn't good for uptime because when it dies you're screwed. At the next level, a single data-center only gives you so much uptime because if that data center goes down you're screwed.

Same thing here. Any single TLD isn't safe for any number of technical and political reasons. If you want to be safe, register multiple tlds with multiple entities so you have redundancy.

Right, but your domain is your 'store front.' Depending on your customer-base, you could lose out when it comes time to switch domains from example.com to example.ca or example.co.au...

Non-centralized approaches like Namecoin will be more likely offer DNS security than the establish approached.

UAE, Singapore and Mauritius are all small countries. Singapore and UAE have a cozy relationship with US and the media is heavily regulated and controlled by the government in both countries. UAE even blocks Skype.

I dont think the top level domains of these countries are secure at all.

I have a curiosity. Would it be better to register a domain as a person or as an organization? Are there any major differences in liabilities associated with each entity? (And I'm thinking .ch and the like domains. I don't think for .com would make any difference.)

If you want a bulletproof registrar that doesn't bow under pressure and with competitive pricing go for http://internet.bs/ (yes they have their offices in the bahamas). Also free whois protection is included AFAIK

I've registered a few domains with them, when I distributed some domains away from GoDaddy and have been quite happy with them(meaning nothing special happened).

However, one thing you have to keep in mind, that despite actually being a fairly large registar, they are a small company in bahamas. I would imagine, if they had a large target painted on them, they could not last long.

Unfortunately .bs reads as .bullshit to me.

This could be a plus, you can register reallno.bs :-) All jokes aside, according to their site, .bs is not on the list of the available TLD you can register with them

Internet.bs is a good choice if you want a safe domain name registrar. They are based in the Bahamas and the staff is composed by people from Europe and South America.

Getting a "secure" swiss domain name with a registrar in the USA isn't probably the best idea ;)

Or simply register your own tld if you've got hundreds of thousands of $ lying around :)

If it's only hundreds of thousands, you might want to find thousands who'd like to pay hundreds for a TLD that rocks and is safe.

What about .hax? :P


Can anyone explain why these domains are usually so much more expensive that .com domains? I just looked at .se and most of those run almost $40/year. It seems like demand would have .com domains priced higher than these cc-TLDs.

There is very little variable cost to create one additional domain name, so it's hard to have a logical explanation for their pricing. All the TLDs have different beliefs about which price will maximize profit.

Then you have looked at the wrong registrars. Loopia[1], Binero[2] and Crystone[3] all sell .se domains for around $15. (I'm not affiliated with any of these companies),

[1]https://www.loopia.com/domainnames/#prices [2]http://www.binero.se/doman [3]http://www.crystone.com/domainname.aspx

Ok, thank you!

How about... we start a kickstarter. Target 200k of which 185k is used for the application for a gTLD and the remaining 15k is for setting up an INC or LLP such that all those who have contributed can register as many domains as they want for "cost" (whatever that works out to be).

Obviously the exact gTLD we chose is subject to a bit of democracy, voting etc etc but I'm sure with a bit of an open forum then they'll be an interesting debate.

I've got a .co on namecheap now. No controversial plans but curious as to how safe it is.

Even i have got 5 domains with namecheap. As far as i know, there have been no negative incidents with namecheap yet.

namecheap primarily operates as a reseller for enom. You'd be subject to 3 layers of policy (registry, registrar, reseller) + ICANN regulation + the laws in the various jurisdictions. Find something cleaner if you are worried about your domains. Complexity can lead to all sorts of finger pointing when something goes wrong. And if that doesn't phase you, be sure you are comfortable with the enom TOS as you'd likely be subject to that as well. (and yes, I"m aware that NC has an accreditation, that said, most of their registrations are held under and managed through enom's accreditation.)

This is a great resource. But where should we locate our actual application: where should we host to avoid seizure?

I would go with anything .ch

Worth pointing out that SWITCH doesn't permit whois "proxy/anonymizer" services. Your real name and address is going to show up there (unless you register under a company name).

nowhere is safe...if you become a problem they'll eventually come for you

What about .co.za?

What about .to ?

A lot of this comes down to how badly the Feds want you. Another domain might buy you a thin buffer of protection, but if you're doing anything that really irks the US Government they'll go to great lengths to get you. They got the Swiss to burn a lot of their treasured banking privacy customs just to flush out off shore accounts. If you can get the Swiss to do that, you can get most any country to seize a local domain with a fraction of the pressure.

They only got the Americans who kept assets with "Swiss" banks (UBS or CS aren't traditional Swiss banks). Those who took the time to come to Schweiz and meet with the private banks were not touched.

If you have particularly anti-US content, I would think .ru or .ch is a good bet.

This is getting a bit silly. Unless you are running a gambling, torrent or porn site, just get a .com and worry about more important things in your life. Asset seizure is something that drug dealers, not startups, should be worrying about.

So, Jotform (to name just a recent one) was running a "gambling, torrent or porn site"? Right...

The only thing silly here is not taking into account all business risks. US-owned TLDs are very much now a risk.

Jotform was a victim of lax registrar policy and wasn't a seizure by the USG or any of its agencies in any sense.

Using the Internet is a risk. So is crossing the street.

Your single biggest risk in registering a domain name relates to the business practices of the registrar you choose. This has nothing to do with the "nationality" of a TLD.

You also face risks associated with the policy of the TLD you register in, the laws of the local government and the jurisdictions of the registrar, registry and DNS provider you register with.

You also face a myriad of risks associated with the UDRP and various intellectual property law.

You can either worry yourself silly with the boundary cases and outside risks that I see most talked about in recent HN articles or you can cover 99% of your issues by finding yourself a good registrar (one with fair and reasonable policies and practices) operating under a good government (one with fair and reasonable laws and law enforcement practices) and register in a reliable TLD. And then spend the other 23.5 hours in your busy day worrying about running your startup or doing something else useful with your time.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact