The URL shortener only use uppercase letters for the path of the URL, the domain and protocol are not case sensitive. Modern phones can read such QR code easily and identify them as URL.
Is it too paranoid that even for first time Zelle (with people I know in real life) I send a $ and ask them to see if they received it, before sending anything else?
French Guards board train at Italian border & check everybody immigration (either a EU card or visa and passport), at least in 2016. They take passports with them, saying something in French, and bring it back after about an hour. Longest hour of my life.
Similar story of me in 2002. Although I didn't come across geocities, and directly found freeservers.com & made a site davinder.8m.net , which is still up. I lost its password from 2007 to 2022, and recovered it back when I recovered my yahoo email account.
Long time ago I came across very similar concept in use in India. Not much, but visible usage. I also came to know by looking at a sticker on car windshield.
> Airport boards are conveniently sorted by departure time.
Not true always. Often I see them sorted alphabetically by Destination, then time (in west coast US). Or occasionally (in middle east) by Airline Name & then Time. All Qatar Airlines together. Sometimes even whole LCD Labeled (digitally, on screen) as A-E, F-M etc. and a bit frustrating way, because often I know my flight destination, but not precise time (& sometimes time shifts around), sorted by pure time.
Except that you go on to describe boards being sorted by time? They may also sort by destination or airline, which are the other pieces of information that I noted passengers already know. You can't use an airport without knowing your departure time and airline, and while it's technically possible to use the airport without knowing your destination (sort of... in point of fact, whenever I check in, the clerk invariably asks me where my final destination is), that's not a scenario that's ever going to come up.
Nobody knows their flight number, and therefore they don't use it for any purpose, including the purpose of identifying their flight.
> and a bit frustrating way, because often I know my flight destination, but not precise time (& sometimes time shifts around), sorted by pure time.
What's the frustrating part? If you don't know the precise time, why does that matter? Knowing it to within an hour will unambiguously identify the flight.
> so they can give the domain to some other customer of theirs without doing any verification
Hosting company can not "give" the domain to anybody. If domain is still pointing to Hosting with NS records, anybody could make an account at Hosting, and add that domain. Now that scammer controls whats visible at Domain, but he is not yet the owner of domain.
Owner is who control and can change NS records. Scammer can change all other records, but not NS. NS is at original domain registrar. Original owner can very easily change the NS and cut the scammer out of everything (& should).
Gitlab used to be like this. You add a domain to Gitlab. You add an A record to your domain registrar or NS Manager. Now your domain shows your Gitlab Page. After few months, you don't want the pages anymore. You delete the project from Gitlab. You ignore to delete the A Record. Scammer adds that domain to his Gitlab, and shows his content at your domain.
Now Gitlab asks you to add a verification TXT record when adding any domain. Scammer's veri record is different. He can't prove that he owns the domain.
> Hosting company can not "give" the domain to anybody.
> Gitlab used to be like this
That's what I'm saying. Hosters can "give" a domain (i.e. control of that domain's records on their nameserver only) to someone else, because they're not registrars and aren't _required_ by some painful business contract with ICANN to have to take change of ownership seriously.
They should require a domain validation challenge to add a new domain, like your Gitlab example, but it doesn't seem like anyone can make them.
So therefore the onus is currently on the domain owner not to leave their domains' NS records pointing at nameservers they don't control!
Hosting can't make the challenge. Only way to prove is to make a TXT or cname record. Anybody where tha NS is pointing to, can make any DNS records.
Its like you put a lock (NS) on your box (Domain). After few months you don't care about that box anymore and leave that key in the wild. Anybody can pick that key and use the box. The box holder (domain registrar) can't make you verify that you are the original owner 'by' asking you to open the box, because by default, anybody who has key, can open the box. The correct way & responsible way is to destroy the box (delete the domain) or at least destroy the key (unpoint the third party NS records).
> the onus is currently on the domain owner not to leave their domains' NS records pointing at nameservers they don't control!
That's exactly right. That is how this "attack" happens. Bad actor exploits registrant's abandoned yet still authoritative third-party nameservers assignment.
Discussion elsewhere in this thread[1] of how some of that responsibility/risk could be spread/shifted onto the DNS provider.