Who owns your domain?
Using a domain registrar to reserve a domain seems a relatively straightforward transaction; one pays the registrar to ensure that the domain resolves to the addresses specified. The content at the domain would seem to be the responsibility of the registrant, leaving the registrar unconcerned with anything other than the technical DNS issues and making deposits. Unfortunately, that is not always the case as Fyodor (of Nmap fame) found out recently when GoDaddy effectively shut down his seclists.org site. With essentially no warning, GoDaddy stopped anyone from viewing the content of seclists (an excellent, comprehensive archive of security mailing lists) due to a complaint from MySpace.
Evidently concerned about MySpace username/password lists that were floating around the Internet and being posted to mailing lists, such as full-disclosure, MySpace went directly to the registrar of a site that archives the list. They made no attempt to contact Fyodor, whose email is prominently listed on the seclists contact page, to request that he remove the offending posts. When contacted, GoDaddy evidently deliberated for a minute or two before rerouting DNS requests for seclists.org to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.
One would like to think that a registrar might require a complaining party to take some steps to try and have the offending content removed. One would also hope that a registrar might check with their customer about the complaint before taking any action. Unfortunately, if one uses GoDaddy, neither of those is likely to be the case. GoDaddy was willing to completely block access to content, the vast majority of which is outside the scope of the complaint, based on a single request from a large company. It is also unclear what steps GoDaddy took to confirm the validity of the complaint before shutting down the site. One would hope that randomly calling GoDaddy and claiming to be from MySpace (or another large organization) would not be a route to shutting down sites.
In Fyodor's account of the incident, he had to make numerous attempts to contact someone at GoDaddy to even find out why the site had been blocked. GoDaddy did not even see fit to tell their paying customer why they blocked the site and provided no easy route for reinstatement. This kind of behavior is not likely to lead to customer satisfaction; unsurprisingly, Fyodor is currently looking for a new registrar. He has also started the NoDaddy site to document abuses by GoDaddy and to help find alternative providers that will not cave in to the slightest pressure.
After numerous phone calls and emails, Fyodor was finally able to get the site back up. He was quite willing to remove the content that so offended MySpace as he has in the past for content, mostly from the full-disclosure list, that has generated legitimate complaints. It should be noted, however, that removing the content from seclists.org did almost nothing to fix the problem; much like trying to put toothpaste back in the tube, reversing an information leak onto the Internet is well nigh impossible. Worse yet, the way they went about things caused enough of a stink that now even casual observers know how to track down this password list; the malicious folks, of course, already had it.
This story might have been less damaging to GoDaddy (and MySpace for that matter) had they admitted a mistake was made and that in the future they would make some efforts to work with their customer to resolve complaints. Instead, they did the opposite and went on the offensive claiming that giving any notice was "generous" while essentially admitting that the notice was on the order of one minute. They were also quick to play the "its for the children" card in defending their actions. Somehow the fact that the lists had been available for nine days and that MySpace did nothing at their end (such as suspending the accounts if there was a password match from the list) to alleviate the problem, went completely over the heads of the folks at GoDaddy.
It seems implausible that MySpace would put up with the same treatment. If one were to find a page at MySpace with a list of usernames and passwords for that site or some other site frequented by teenagers, does that mean you can have MySpace routed to spam-and-abuse.com with a simple phone call to their registrar? The whole idea of registrars participating in web censorship is a slippery slope and one that sensible registrars will avoid; do they want to be in the middle of these kinds of disputes? It probably seemed very easy to GoDaddy in this case, MySpace vs. a 'hacker', but where are they going to draw the line?
For domain owners, this situation should provide an opportunity to go back and review the Terms of Service at your registrar. A community effort, like the one at NoDaddy, can hopefully identify a number of registrars who are more interested in providing the service they are paid for to the people who pay them than they are in appeasing the MySpaces of the world.
| Index entries for this article | |
|---|---|
| GuestArticles | Edge, Jake |
Posted Feb 1, 2007 10:10 UTC (Thu)
by emj (guest, #14307)
[Link] (1 responses)
Well that might be a good idea, if one isn't intent on removing illegal stuff from it. Doesn't matter if MySpace users are ordinary people, who can't keep their password secret, it's still no good publishing/archiving them.
Though I wouldn't ever use GoDaddy, especially after this.
Posted Feb 1, 2007 11:49 UTC (Thu)
by fyodor (guest, #3481)
[Link]
We do remove inappropriate posts when they are brought to our attention. But MySpace never bothered to ask us to remove the page -- they simply persuaded GoDaddy to nuke the whole domain. Our contact information is all over the site, and our email address and phone number is also available in the public whois. We also take removal requests at abuse@seclists.org. We quickly comply with reasonable requests, and publicly mock the unreasonable ones.
In any case, a service like MySpace should ALWAYS disable the accounts and notify the users immediately when it finds valid password files on the Web. To think you can just shut down the web sites and pretend the breach never happened is ridiculous. The list is still widely available via a simple Google search.
Posted Feb 1, 2007 10:24 UTC (Thu)
by drag (guest, #31333)
[Link]
This seems to be pretty much abuse and very high-handed behavior coming down from Godaddy. If there was substantial financial losses involved I would seriously be thinking of a civil lawsuit if it was me. I'd be severely pissed.
The list provided a important, legitement and valid service for people. It's BS to just shut it down. This has the pretty much same effect as if Godaddy representatives broke into the servers and unplugged them from the walls.
Posted Feb 1, 2007 14:02 UTC (Thu)
by gking (guest, #33801)
[Link]
Posted Feb 1, 2007 14:17 UTC (Thu)
by lysse (guest, #3190)
[Link] (1 responses)
Posted Feb 2, 2007 1:31 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Who says GoDaddy is a common carrier?
Content doesn't flow through Godaddy. Even the domain name lookup prerequisite to transferring content do not flow through Godaddy. All Godaddy does is, as agent for someone such as Fyodor, tell some name server operators, to answer lookups of domain names.
I don't think Godaddy ever presumed to have any special immunity from liability based on common carrier status.
Incidentally, Godaddy hasn't claimed it had any legal liability for damage that seclists.org might cause if Godaddy left it alone. Its claims are that it had a moral responsibility to exercise its power to stop that damage.
Posted Feb 1, 2007 15:13 UTC (Thu)
by dskoll (subscriber, #1630)
[Link] (5 responses)
Posted Feb 1, 2007 17:23 UTC (Thu)
by bronson (subscriber, #4806)
[Link] (3 responses)
Since Godaddy general counsel Christine Jones is demonstrating a pretty serious lack of understanding of the law and ethics, I think I'd like to start moving my domains elsewhere. Ms. Jones, it's one thing to make a mistake; it's quite another thing to make stuff up ("we gave him an hour") to try to bolster an already untenable position.
- Reluctant godaddy user
Posted Feb 1, 2007 17:58 UTC (Thu)
by grouch (guest, #27289)
[Link]
Can anyone post good, inexpensive alternatives?
I use
itsyourdomain.com (link gives Netcraft's "What's that site running?" results). There is a list of
ICANN Accredited Registrars.
Incidentally,
godaddy.com runs "Windows Server 2003" and "Microsoft-IIS/6.0", either of which is sufficient reason for me to avoid them, even if they weren't so ready to engage in censorship to appease corporate interests. See also,
How big was Go Daddy's move from Linux to Windows? by Jay Lyman.
Posted Feb 2, 2007 12:04 UTC (Fri)
by jeroen (guest, #12372)
[Link] (1 responses)
Posted Feb 5, 2007 2:53 UTC (Mon)
by himi (subscriber, #340)
[Link]
As a bonus, you get all your communications from them in both English /and/ French ;-)
himi
Posted Feb 1, 2007 19:14 UTC (Thu)
by mikeraz (guest, #155)
[Link] (4 responses)
These two paragraphs from their contract, which follow a segment of terms and definitions, illustrate their attitude.
1.
2.
Their EULA does include a statement about abuse and spam:
6.
They've always been a great registrar for me (read: no spam from them about services, always quick to reply to requests for information). I've stayed with them even as the dollar has declined in value against the Euro and consequently the price has risen.
Posted Feb 2, 2007 1:44 UTC (Fri)
by giraffedata (guest, #1954)
[Link] (2 responses)
It would surprise me if Godaddy doesn't have these same disclaimers in its contract.
I'd like to see a EULA that spells out one or two rights for the registree, for example, "Unless Client violates the rules above, Registrar will give 30 days notice before discontinuing the registration."
Posted Feb 2, 2007 2:58 UTC (Fri)
by IkeTo (subscriber, #2122)
[Link] (1 responses)
Posted Feb 4, 2007 18:06 UTC (Sun)
by giraffedata (guest, #1954)
[Link]
I think so too, but if you read it carefully, that's not what Gandi says. Gandi says what they all say, including Godaddy: Gandi is not responsible to the customer for taking the blame if use of the domain harms someone. But Gandi is still free at its option to mess with the registration in order to prevent that harm, and this contract between Gandi and its customer definitely doesn't affect Gandi's responsibility to a third party for that harm.
Because this is standard one-sided CYA contract language, I don't think you can infer anything from it about Gandi's attitude toward requests like Myspace's.
Posted Feb 9, 2007 8:46 UTC (Fri)
by lacostej (guest, #2760)
[Link]
In the end he lost and got to pay a fee.
Note that at that time, he offered 10M free space while the ISP and other usual services used to offer only 1M...
For those who can read french: http://fr.wikipedia.org/wiki/Valentin_Lacambre
Even though gandi was resold some years ago, I still believe the original spirit is there. That's why I still use them.
Posted Feb 2, 2007 21:18 UTC (Fri)
by cventers (guest, #31465)
[Link] (1 responses)
Oh, and I should note that I'm willing to pay this premium even though
Posted Feb 11, 2007 15:26 UTC (Sun)
by Duncan (guest, #6647)
[Link]
Wikipedia:
The problem with such clauses is that it allows the spammers safe haven as
I'm simply pointing out that the problem is rather more complex than it
Duncan
Posted Feb 10, 2007 17:10 UTC (Sat)
by ringerc (subscriber, #3071)
[Link]
The AuDA (Australian Domains Authority) sets the rules; registrars follow them. The registrant of a domain does not own it - only AuDA does. You simply buy control of it for a certain period of time. The registrar and AuDA are limited in what they can do.
This becomes really nice in cases of squatting etc. Unlike the expensive and corporate-friendly process used by ICANN, in .au you can usually reclaim a domain you have claim to (and the claim rules are *clear*) if the current registrant isn't using it and offers to sell it to you. That's viewed as bad faith negotiation, and they lose control of the domain.
In general it works out as "if you play fair, everything works out." I haven't heard of any issues, and the AuDA guys are really good. It's in my view much saner not to view domains as "property" like the US system seems to, but instead view them as access to a resource.
Most of the censorship attempts are for the full-disclosure list. It
would be easiest just to cease archiving that list,Who owns your domain?
We do remove inappropriate posts
-Fyodor
Insecure.Org
I donno.Who owns your domain?
Just a thought: many of the IP addresses that matter are highly static - much more so than their DNS TTL would suggest. Why don't we start posting our important IP addresses (especially those for the nameservers we run) as a footnote to all those "contact_us.html" web pages? That way, in the event of DNS DoS or legal attacks, savvy folk who really want to reach us can turn to the search engine caches or the Internet Wayback Machine (http://www.archive.org).Who owns your domain? - a piece of insurance?
By taking, and then defending, action to censor a webpage of which they disapproved, haven't GoDaddy effectively nullified their own "common carrier" status? Doesn't that lay them directly open to lawsuits, or even criminal prosecutions, over some of the other sites for which they're willing to provide DNS service?So GoDaddy aren't just a common carrier then?
So GoDaddy aren't just a common carrier then?
I've heard numerous horror stories about GoDaddy. Avoid them at all costs.Avoid GoDaddy
Can anyone post good, inexpensive alternatives? I loathe Godaddy's entire used-car-salesman approach but they are 1/2 the price of the next-most-inexpensive, good registrar that I know of. It doesn't take too many domains before that really starts to add up. (http://nodaddy.com/#alternatives shows Moniker and NameSecure are close in price; any good?)Avoid GoDaddy
Avoid GoDaddy
I'm using gandi. They have a very nice web interface and they also support projects like Debian and Jamendo.
Avoid GoDaddy
I can second that recommendation - I don't know that they can compare on cost with the ultimate in cut-price registrars, but I've been using them for years with no issues at all.Avoid GoDaddy
When the issue of registrar choice flared up years ago I read reviews and made my choice based on the one rated highest for its EULA. That choice was gandi.netWho owns your domain? Plug for Gandi
The Client owns the Domain Name registered. Gandi simply acts on the Client's behalf. Client acknowledges that Gandi services consist only of including in the shared Domain Names database, the Domain Name choosen by the Client, for the duration of the present contract and without prejudice, notably, that the Domain Name is available and that the Client respects terms and conditions of the present contract.
The Client acknowledges to register and use the Domain Name in compliance
with the law and legal rights of a third party. The Client is the only entity liable for the use of Gandi registration services and the Domain Name. The Client looks after the editorial responsability for the Domain Name use. In this respect, he is responsible for consequences of any dispute related to the Domain Name, notably for any consequence from law or fact affecting the Domain Name and any trouble of law or fact caused to a third party during the Domain Name use.
About additionnal services provided by Gandi, the Client acknowledges not
to use them for unsolicited bulk emailing (``spam'') or any other
fraudulent/abusive use. Any abuse will make Gandi stop providing those
services to the domain name concerned.
I don't get your point. These clauses, which are disclaimers of responsibility, illustrate the same attitude they all have: For what you pay us, you're not entitled to rely on us for anything.
Who owns your domain? Plug for Gandi
I think what he means is that Gandi essentially says "if the domain owner do something illegal, I won't care, the domain owners are the only one to face the jurisdiction". In other words, they will not entertain any request from any third party. That third party must contact the domain owner directly if he has a complain.Who owns your domain? Plug for Gandi
Who owns your domain? Plug for Gandi
I think what he means is that Gandi essentially says "if the domain owner do something illegal, I won't care, the domain owners are the only one to face the jurisdiction". In other words, they will not entertain any request from any third party. That third party must contact the domain owner directly if he has a complain.
I would note that gandi was initiated in part by Valentin Lacambre of altern.org who is known in France for having tried to stand up against corporations that tried to shut down his free hosting web site because one of the page members had posted scans of court-prohibited pictures.Who owns your domain? Plug for Gandi
and http://www.journaldunet.com/itws/it_lacambre.shtml
As someone who has manned various websites and projects over the years, I Who owns your domain?
would willingly pay a premium for a hosting provider and registrar that
would pen a contract that says "We will not under any circumstances
knowingly interrupt your service without a court order or
properly-processed DMCA takedown notice". It's absolutely ridiculous that
hosting providers don't already have this standard.
I've never hosted anything remotely questionable.
Sounds like what is known as "bullet proof hosting".Who owns your domain?
http://en.wikipedia.org/wiki/Bullet_proof_hosting
As it was when I viewed it (permanent link):
http://en.wikipedia.org/w/index.php?title=Bulletproof_hos...
well. Legitimate hosting companies reserve the right to take it down
under certain conditions, generally including if it has been part of a
spamming operation and they start getting many complaints about that.
Note that alternative anti-spammer action taken if they do /not/ take it
down is often blackholing entire IP blocks, often including many entirely
innocent sites along with the spammer(s). How'd you like to be one
of /those/ innocent victims? Get on a provider that includes the language
you propose, and you /will/ find yourself inaccessible from portions of
the net due to this blackholing, because spammers /will/ be taking
advantage of it too, even if you yourself have nothing to do with the
spammers other than having the misfortune of having chosen the same
hosting provider due to their "bullet proof hosting" language.
might first appear, but it does explain why basically zero legitimate
hosting providers will have that sort of language. Spam's as big an issue
(arguably bigger) as this is.
Australia is interesting here, because we have very clear rules about who owns your domain and what they can do with it. Who owns your domain?