Weekly Edition
Return to the Security page
| |||||||||||||
Who owns your domain?Using a domain registrar to reserve a domain seems a relatively straightforward transaction; one pays the registrar to ensure that the domain resolves to the addresses specified. The content at the domain would seem to be the responsibility of the registrant, leaving the registrar unconcerned with anything other than the technical DNS issues and making deposits. Unfortunately, that is not always the case as Fyodor (of Nmap fame) found out recently when GoDaddy effectively shut down his seclists.org site. With essentially no warning, GoDaddy stopped anyone from viewing the content of seclists (an excellent, comprehensive archive of security mailing lists) due to a complaint from MySpace. Evidently concerned about MySpace username/password lists that were floating around the Internet and being posted to mailing lists, such as full-disclosure, MySpace went directly to the registrar of a site that archives the list. They made no attempt to contact Fyodor, whose email is prominently listed on the seclists contact page, to request that he remove the offending posts. When contacted, GoDaddy evidently deliberated for a minute or two before rerouting DNS requests for seclists.org to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM. One would like to think that a registrar might require a complaining party to take some steps to try and have the offending content removed. One would also hope that a registrar might check with their customer about the complaint before taking any action. Unfortunately, if one uses GoDaddy, neither of those is likely to be the case. GoDaddy was willing to completely block access to content, the vast majority of which is outside the scope of the complaint, based on a single request from a large company. It is also unclear what steps GoDaddy took to confirm the validity of the complaint before shutting down the site. One would hope that randomly calling GoDaddy and claiming to be from MySpace (or another large organization) would not be a route to shutting down sites. In Fyodor's account of the incident, he had to make numerous attempts to contact someone at GoDaddy to even find out why the site had been blocked. GoDaddy did not even see fit to tell their paying customer why they blocked the site and provided no easy route for reinstatement. This kind of behavior is not likely to lead to customer satisfaction; unsurprisingly, Fyodor is currently looking for a new registrar. He has also started the NoDaddy site to document abuses by GoDaddy and to help find alternative providers that will not cave in to the slightest pressure. After numerous phone calls and emails, Fyodor was finally able to get the site back up. He was quite willing to remove the content that so offended MySpace as he has in the past for content, mostly from the full-disclosure list, that has generated legitimate complaints. It should be noted, however, that removing the content from seclists.org did almost nothing to fix the problem; much like trying to put toothpaste back in the tube, reversing an information leak onto the Internet is well nigh impossible. Worse yet, the way they went about things caused enough of a stink that now even casual observers know how to track down this password list; the malicious folks, of course, already had it. This story might have been less damaging to GoDaddy (and MySpace for that matter) had they admitted a mistake was made and that in the future they would make some efforts to work with their customer to resolve complaints. Instead, they did the opposite and went on the offensive claiming that giving any notice was "generous" while essentially admitting that the notice was on the order of one minute. They were also quick to play the "its for the children" card in defending their actions. Somehow the fact that the lists had been available for nine days and that MySpace did nothing at their end (such as suspending the accounts if there was a password match from the list) to alleviate the problem, went completely over the heads of the folks at GoDaddy. It seems implausible that MySpace would put up with the same treatment. If one were to find a page at MySpace with a list of usernames and passwords for that site or some other site frequented by teenagers, does that mean you can have MySpace routed to spam-and-abuse.com with a simple phone call to their registrar? The whole idea of registrars participating in web censorship is a slippery slope and one that sensible registrars will avoid; do they want to be in the middle of these kinds of disputes? It probably seemed very easy to GoDaddy in this case, MySpace vs. a 'hacker', but where are they going to draw the line? For domain owners, this situation should provide an opportunity to go back and review the Terms of Service at your registrar. A community effort, like the one at NoDaddy, can hopefully identify a number of registrars who are more interested in providing the service they are paid for to the people who pay them than they are in appeasing the MySpaces of the world. (Log in to post comments)
Who owns your domain? Posted Feb 1, 2007 10:10 UTC (Thu) by emj (guest, #14307) [Link] Most of the censorship attempts are for the full-disclosure list. It would be easiest just to cease archiving that list,Well that might be a good idea, if one isn't intent on removing illegal stuff from it. Doesn't matter if MySpace users are ordinary people, who can't keep their password secret, it's still no good publishing/archiving them. Though I wouldn't ever use GoDaddy, especially after this.
We do remove inappropriate posts Posted Feb 1, 2007 11:49 UTC (Thu) by fyodor (guest, #3481) [Link] We do remove inappropriate posts when they are brought to our attention. But MySpace never bothered to ask us to remove the page -- they simply persuaded GoDaddy to nuke the whole domain. Our contact information is all over the site, and our email address and phone number is also available in the public whois. We also take removal requests at abuse@seclists.org. We quickly comply with reasonable requests, and publicly mock the unreasonable ones. In any case, a service like MySpace should ALWAYS disable the accounts and notify the users immediately when it finds valid password files on the Web. To think you can just shut down the web sites and pretend the breach never happened is ridiculous. The list is still widely available via a simple Google search.
Who owns your domain? Posted Feb 1, 2007 10:24 UTC (Thu) by drag (subscriber, #31333) [Link] I donno.
This seems to be pretty much abuse and very high-handed behavior coming down from Godaddy. If there was substantial financial losses involved I would seriously be thinking of a civil lawsuit if it was me. I'd be severely pissed.
The list provided a important, legitement and valid service for people. It's BS to just shut it down. This has the pretty much same effect as if Godaddy representatives broke into the servers and unplugged them from the walls.
Who owns your domain? - a piece of insurance? Posted Feb 1, 2007 14:02 UTC (Thu) by gking (guest, #33801) [Link] Just a thought: many of the IP addresses that matter are highly static - much more so than their DNS TTL would suggest. Why don't we start posting our important IP addresses (especially those for the nameservers we run) as a footnote to all those "contact_us.html" web pages? That way, in the event of DNS DoS or legal attacks, savvy folk who really want to reach us can turn to the search engine caches or the Internet Wayback Machine (http://www.archive.org).
So GoDaddy aren't just a common carrier then? Posted Feb 1, 2007 14:17 UTC (Thu) by lysse (guest, #3190) [Link] By taking, and then defending, action to censor a webpage of which they disapproved, haven't GoDaddy effectively nullified their own "common carrier" status? Doesn't that lay them directly open to lawsuits, or even criminal prosecutions, over some of the other sites for which they're willing to provide DNS service?
So GoDaddy aren't just a common carrier then? Posted Feb 2, 2007 1:31 UTC (Fri) by giraffedata (subscriber, #1954) [Link] Who says GoDaddy is a common carrier? Content doesn't flow through Godaddy. Even the domain name lookup prerequisite to transferring content do not flow through Godaddy. All Godaddy does is, as agent for someone such as Fyodor, tell some name server operators, to answer lookups of domain names. I don't think Godaddy ever presumed to have any special immunity from liability based on common carrier status. Incidentally, Godaddy hasn't claimed it had any legal liability for damage that seclists.org might cause if Godaddy left it alone. Its claims are that it had a moral responsibility to exercise its power to stop that damage.
Avoid GoDaddy Posted Feb 1, 2007 15:13 UTC (Thu) by dskoll (subscriber, #1630) [Link] I've heard numerous horror stories about GoDaddy. Avoid them at all costs.
Avoid GoDaddy Posted Feb 1, 2007 17:23 UTC (Thu) by bronson (subscriber, #4806) [Link] Can anyone post good, inexpensive alternatives? I loathe Godaddy's entire used-car-salesman approach but they are 1/2 the price of the next-most-inexpensive, good registrar that I know of. It doesn't take too many domains before that really starts to add up. (http://nodaddy.com/#alternatives shows Moniker and NameSecure are close in price; any good?)
Since Godaddy general counsel Christine Jones is demonstrating a pretty serious lack of understanding of the law and ethics, I think I'd like to start moving my domains elsewhere. Ms. Jones, it's one thing to make a mistake; it's quite another thing to make stuff up ("we gave him an hour") to try to bolster an already untenable position.
- Reluctant godaddy user
Avoid GoDaddy Posted Feb 1, 2007 17:58 UTC (Thu) by grouch (guest, #27289) [Link]
I use itsyourdomain.com (link gives Netcraft's "What's that site running?" results). There is a list of ICANN Accredited Registrars. Incidentally, godaddy.com runs "Windows Server 2003" and "Microsoft-IIS/6.0", either of which is sufficient reason for me to avoid them, even if they weren't so ready to engage in censorship to appease corporate interests. See also, How big was Go Daddy's move from Linux to Windows? by Jay Lyman.
Avoid GoDaddy Posted Feb 2, 2007 12:04 UTC (Fri) by jeroen (subscriber, #12372) [Link] I'm using gandi. They have a very nice web interface and they also support projects like Debian and Jamendo.
Avoid GoDaddy Posted Feb 5, 2007 2:53 UTC (Mon) by himi (guest, #340) [Link] I can second that recommendation - I don't know that they can compare on cost with the ultimate in cut-price registrars, but I've been using them for years with no issues at all.
As a bonus, you get all your communications from them in both English /and/ French ;-)
himi
Who owns your domain? Plug for Gandi Posted Feb 1, 2007 19:14 UTC (Thu) by mikeraz (guest, #155) [Link] When the issue of registrar choice flared up years ago I read reviews and made my choice based on the one rated highest for its EULA. That choice was gandi.net
These two paragraphs from their contract, which follow a segment of terms and definitions, illustrate their attitude.
1.
2.
Their EULA does include a statement about abuse and spam:
6.
They've always been a great registrar for me (read: no spam from them about services, always quick to reply to requests for information). I've stayed with them even as the dollar has declined in value against the Euro and consequently the price has risen.
Who owns your domain? Plug for Gandi Posted Feb 2, 2007 1:44 UTC (Fri) by giraffedata (subscriber, #1954) [Link] I don't get your point. These clauses, which are disclaimers of responsibility, illustrate the same attitude they all have: For what you pay us, you're not entitled to rely on us for anything.It would surprise me if Godaddy doesn't have these same disclaimers in its contract. I'd like to see a EULA that spells out one or two rights for the registree, for example, "Unless Client violates the rules above, Registrar will give 30 days notice before discontinuing the registration."
Who owns your domain? Plug for Gandi Posted Feb 2, 2007 2:58 UTC (Fri) by IkeTo (subscriber, #2122) [Link] I think what he means is that Gandi essentially says "if the domain owner do something illegal, I won't care, the domain owners are the only one to face the jurisdiction". In other words, they will not entertain any request from any third party. That third party must contact the domain owner directly if he has a complain.
Who owns your domain? Plug for Gandi Posted Feb 4, 2007 18:06 UTC (Sun) by giraffedata (subscriber, #1954) [Link] I think what he means is that Gandi essentially says "if the domain owner do something illegal, I won't care, the domain owners are the only one to face the jurisdiction". In other words, they will not entertain any request from any third party. That third party must contact the domain owner directly if he has a complain. I think so too, but if you read it carefully, that's not what Gandi says. Gandi says what they all say, including Godaddy: Gandi is not responsible to the customer for taking the blame if use of the domain harms someone. But Gandi is still free at its option to mess with the registration in order to prevent that harm, and this contract between Gandi and its customer definitely doesn't affect Gandi's responsibility to a third party for that harm. Because this is standard one-sided CYA contract language, I don't think you can infer anything from it about Gandi's attitude toward requests like Myspace's.
Who owns your domain? Plug for Gandi Posted Feb 9, 2007 8:46 UTC (Fri) by lacostej (guest, #2760) [Link] I would note that gandi was initiated in part by Valentin Lacambre of altern.org who is known in France for having tried to stand up against corporations that tried to shut down his free hosting web site because one of the page members had posted scans of court-prohibited pictures.
In the end he lost and got to pay a fee.
Note that at that time, he offered 10M free space while the ISP and other usual services used to offer only 1M...
For those who can read french: http://fr.wikipedia.org/wiki/Valentin_Lacambre
Even though gandi was resold some years ago, I still believe the original spirit is there. That's why I still use them.
Who owns your domain? Posted Feb 2, 2007 21:18 UTC (Fri) by cventers (guest, #31465) [Link] As someone who has manned various websites and projects over the years, Iwould willingly pay a premium for a hosting provider and registrar that would pen a contract that says "We will not under any circumstances knowingly interrupt your service without a court order or properly-processed DMCA takedown notice". It's absolutely ridiculous that hosting providers don't already have this standard.
Oh, and I should note that I'm willing to pay this premium even though
Who owns your domain? Posted Feb 11, 2007 15:26 UTC (Sun) by Duncan (guest, #6647) [Link] Sounds like what is known as "bullet proof hosting".
Wikipedia:
The problem with such clauses is that it allows the spammers safe haven as
I'm simply pointing out that the problem is rather more complex than it
Duncan
Who owns your domain? Posted Feb 10, 2007 17:10 UTC (Sat) by ringerc (subscriber, #3071) [Link] Australia is interesting here, because we have very clear rules about who owns your domain and what they can do with it.
The AuDA (Australian Domains Authority) sets the rules; registrars follow them. The registrant of a domain does not own it - only AuDA does. You simply buy control of it for a certain period of time. The registrar and AuDA are limited in what they can do.
This becomes really nice in cases of squatting etc. Unlike the expensive and corporate-friendly process used by ICANN, in .au you can usually reclaim a domain you have claim to (and the claim rules are *clear*) if the current registrant isn't using it and offers to sell it to you. That's viewed as bad faith negotiation, and they lose control of the domain.
In general it works out as "if you play fair, everything works out." I haven't heard of any issues, and the AuDA guys are really good. It's in my view much saner not to view domains as "property" like the US system seems to, but instead view them as access to a resource.
|
|||||||||||||