The implication that gTLDs are bad and new ones shouldn't be introduced because of this is a bit silly to me. The argument that they somehow have lower registration requirements makes no sense, .shop .top and .xyz registrations involve the exact same amount of verification as .com (none). Prices aren't really that different and plenty of gTLDs are more expensive than traditional ones.
Registering a domain is frustrating these days, too many already taken and a lot of them by squatters not even intending to use it. I'd love to see more options personally even if it makes it slightly easier to create a phishing domain. We need better tools than memorizing a domain name to deal with that anyways.
I think the issue is you can register a known company name on one of these and plenty of people will think it's legit. Companies have to register on all these random domain to protect themselves.
dell.shop, that's probably the dell computer I know, right?
When a scam hits someone's inbox or text message, it finds them in a particular time in their life, in a particular state of mind, and in a particular context. It's not just about how gullible or uninformed or whatever they are. They may be tired, they may be drunk, they may be spending all their energy worrying about a sick relative, or trying not to.
They may have just been shopping for a computer, maybe even a dell. Or maybe they need a computer for their kid and don't have the means to afford one and are more likely to fall for a scam advertising a good deal on a computer than for any other scam.
These all add to the probability that someone falls for a scam. Phishing is all about casting a wide enough net that the probabilities align against some of the people you hit at the time you hit them.
Victims are not just uninformed. They are also compromised, and/or incentivized to believe this particular scam, and/or unlucky enough that the scam takes place when they were recently engaged in activity that makes the scam more believable.
Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general. The eye sees dell first in clear letters for both urls. Their sick relative doesn’t change much here. I would honestly not be sure if either is a scam for the url alone. The improbable deal at the other end is the only meaningful signal.
> Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general.
It isn't. People fall because probabilities align. Something can catch their eye to knock them out of it.
A bad URL is a bad probability (for the scammer) in the chain, a really good URL is another good probability. If your assessment is that both URLs look equally good/bad to you, I, of course, won't deny that claim about your own experience. But to my eye, dell.computershop.com looks pretty bad and dell.shop looks pretty good.
I only answer my phone if I'm in the middle of getting a loan and so expecting a call from some unknown number at any time, and even then some numbers look too phishy to answer. The last time I got a loan I got a call from a local area code near the bank, answered, and found myself talking to a scammer about a loan. It was confusing, I believed it was the bank at first! Everything needed to align for them to get that far, including the phone number looking legit to my eyes. To someone else's eyes a number halfway across the country may have looked just as legit. Or the nearby number may have looked instantly bogus. This is exactly my point!
Just the fact that you had your credit report pulled for a loan qualification is immediately sold to ad brokers by the credit bureaus, who will sell it on down the line to less and less scrupulous buyers. It's not surprising to me at all that you got a scam call about a loan while you were in the process of legitmately applying for a loan.
I now ask businesses like these "what number will you call me from" and I put that in my phone as a contact, so that my phone will ring. If they call me from any other number I won't see the call.
Remember that Google was (is?) trying to remove the URL bar. Not just because it reinforces search as the main product and gateway to the web, but also because URLs are kind of hard for most people.
Which brings us to the original argument: is this a reason to ban gTLDs? Surely the cost of banning gTLDs outweighs the enormous benefits of making it easy for society's productive users to find names they like.
We also shouldn't discount the incredible benefit of having additional namespaces and markets positioned against domain name squatters. gTLDs linearly increase the costs to squatters. Good names can be found with lots of alternative gTLD offerings, which greatly increases the supply side for builders and entrepreneurs.
Ultimately gTLDs probably won't be banned simply because there's money to be made by the ICANN and registrars.
And then there are plenty of companies who put some legitimate part of their business on a wonky gtld domain they only bought so that it's not bought by a scammer. Systems run by the investor relations department might run on examplecompany.biz, some hiring SAAS on examplecompany.work, the CRM on examplecompany.business and the tech support occasionally instructs someone to get a preview update from examplecompany.cc. Not because that's a smart thing to do, but because coordinating namespaces is not easy and dedicating an otherwise unused domain only bought to keep out the scammers is a tempting shortcut. And because training internet users that sometimes wonky TLD are ok is an externality.
> Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.
I see this and raise you HP using domains like h30434.www3.hp.com for decades now. They only started to disappear fairly recently. Many companies will do it and people don't really care.
It would be nice if browsers surfaced the information about when you last visited a site. In the certificate information panel for Firefox you can find things like, "You visited this site 1067 times before" which is helpful information when evaluating if you're on the site you think you're on.
They're different. Companies register all kinds of crazy domains and redirect you through them all the time. Why is it crazy that some marketing person at Dell thought it would be cool to link people to 'dell dot shop'? I would check the certificates, but honestly only as a precaution. If the website looks correct that isn't such an insane thing.
That is exactly why it's so dangerous and effective versus your example.
What good does that do? It is pretty rare for companies to get an EV or OV certificate, since it is more expensive and more hassle than a DV cert, and even when they do, the name on the cert isn't always what you expect since it might be the name of the owning company, not the brand you are familiar with.
Whois on DNS isn't always reliable either, since it often just points to another company that provides a dns service (such as AWS).
> Companies register all kinds of crazy domains and redirect you through them all the time
That's the real problem with domain trust these days. Companies go out of their way to make sure you know to only visit official links, and then do stupid stuff like buying vanity domains for one-time deals, or make you click through mailchimp tracking URLs because marketing tracking is more important than your customers falling for phishing. Those vanity domains then end up expiring, and now emails and web links that used to go to an official $brand server are all ready to be swooped up by scammers. Customers never stood a chance.
This isn't a TLD problem. It's a shitty company problem.
I wholeheartedly agree. Subdomains exist for a reason. Vanity domains are so incredibly sloppy and unserious.
Another issue is that they can make password management more of a chore. Every time I need to look up my Microsoft login, I have to remember to actually look up “live.com”. Except sometimes the login page is served from “microsoft.com”. Oops, you forgot your password and reset it; now your password for the other domain is out of date. Utterly ridiculous behavior from a company of their stature.
This made me think I'd somehow not saved my MS password because it wouldn't show up if you searched "microsoft". I know you can combine them like the other comment mentioned but what an awful default experience.
What I meant was that you can not put any trust in the contents of DNS labels, they should be handled as opaque blob-like identifiers. The only meaningful thing you can do with domain name is to compare it's labels to some reference.
So no, I don't trust that I'm on HN because of I put any trust in the domain "news.ycombinator.com" signifying anything. I only trust that I'm on same HN that I was on yesterday because the domain matches exactly the reference value. But the domain name could be anything, as long as it is stable.
Maybe it would be better to say "there is no inherent trust on domains". I trust HN today because I was on HN yesterday, and the day before, and last year, and 10 years ago, etc., and it's always been trustworthy (so far as I know).
But if I saw a link tomorrow for hackernews.shop and I went there, I'd be very suspicious.
Have you seen the domains Microsoft uses? Half the time I am not sure if they are genuine or not, it's actually crazy. Sometimes they use .com, other times .ms. Sometimes Microsoft is in the top-level other times it's in the second-level. Sometimes they have no subdomain, sometimes they have two. It's utterly inconsistent and it's insane to me how close some of them look to actual phishing domains...
If you get credits for Azure they're accessed through microsoftazuresponsorships.com. Why not sponsorships.azure.microsoft.com or something like that? I checked it three times when I got the link, because it's exactly the kind of domain someone would use if they were going to steal your Azure credits.
Maybe, maybe not. [citation needed] But store.apple.com is perfectly legit, so what’s wrong with apple.shop[0]? Sure, you and I know that one is a subdomain and one is a TLD. How many random folks on the street in Des Moines know this? 15%? Less? “Say what? It matters which end the ‘shop’ part is on? Whose brilliant idea was that?”
[0] sigh Apparently nothing is wrong with it, as it redirects to apple.com. So much for that example; take in the spirit intended.
There aren't "people who fall for phishing" and "people who don't", generally speaking. I know highly intelligent and talented people, well educated in general online security, who have fallen for phishing links and scams.
It's certainly possible to strongly protect yourself though, vs casually relying on intuition which is hopeless. You just need to establish a process or set of rules to follow. Businesses do this all the time. A classic scam is sending an invoice asking for payment, and some disorganized businesses will just pay you! But those with a process won't because you won't be able to give them a matching purchase order number and other things their process needs.
A basic personal protection is to not trust anyone who initiates contact with you, no matter who they say they are or what they know about you. Verify by contacting them independently instead.
Very true. My dad (late 60s) has written a DNS server, but still nearly fell for an email scam when he was sleep deprived and at the airport believing his flight was overbooked and he was going to be kicked.
I am unlikely to fall for either of them, but given compromising factors as mentioned by the other commenter, I am much less likely to fall for dell..com than dell.
Due to the widespread usage of 3+ common TLDs (com, org, net, etc.) and arbitrary third-level domains, people have been trained that the second-level domain is the one that matters. Now that gTLDs are more common I've needed to retrain my brain that the TLD is also a necessary heuristic for authenticating websites.
Even aside from that, you probably want to register your own .sucks and .rocks, which just means whoever operates that registry gets to make a bunch of money from companies squatting domains that nobody wanted and bring no value to the world.
That’s kinda the point. Scammers want to deal with the poorly informed, the gullible, the vulnerable. They concomitantly prefer that the wary and street-smart select themselves away. A marketing professional would recognise the effective segmentation going on, and every new TLD is an opportunity in that regard.
I do not think so. I think if someone would have made an effort to rip off the real Dell site I would fall for it. I am just so lucky that scammer mostly prefer to go after the easier marks.
I am not sure what a better solution could be. The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.
I do however still prefer more gTLDs to minimize domain squatting.
> The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.
The idea was bad.
Anybody can open the Dell Flower Shop. They can call their company Dell Inc. and register the domain dell.shop and they're not doing anything wrong, because they're in a different industry and nobody is going to confuse a tulip with a laptop. And then they could get an EV cert that says Dell Inc. -- because that's who they are.
Which is why EV certs are worthless. Just because it says Dell doesn't mean it's that Dell. There can be arbitrarily many companies with the same name in different industries or locations. But then what is the certificate supposed to tell you that gives you more information than the domain name? The average person is not going to know a company's registration ID with the relevant secretary of state, or generally even what state they're incorporated in.
Answers like this, that basically call the users idiots and abdicate any responsibility on the part of tech, are a losing long-term business proposition. Figure it out and gain loyalty and market share.
I'm doubtful that most non-technical people familiarize themselves with TLDs/domain names. They use a search provider for whatever they need. As far as emails/phishing goes, it's a game of cat and mouse; it will never be over. Basically, don't trust unprompted email links and just go to the site if it's something you really want.
I wonder if we could add some type of verification registry. It would be nice if browser's could have a big indicator saying that this website is verified to associated with Dell inc.
Some HTTP certificates do exactly that, and web browsers used to show the company/identity the certificate was issued to in the URL bar. Now you have to go to the certificates detail, very clear on Firefox, behind a few clicks on Chrome. Here's an example from a bank in Spain: https://www.bbva.es
That was EV certificates. They were finally removed from browsers completely around five years ago because they didn’t actually work. At all. The problems were largely social. Plenty has been written about it, you can find it by searching.
Well, the original HTTPS certificates too were supposed to work like that; I remember reading a security article criticizing the EV proposal by quoting the old (circa 1998?) policy statements of different CA's and showing that they're pretty much identical to the EV requirements.
Yep that's the issue, I'm just saying I'd rather have that problem than the one where I can't register a clean looking personal domain because every idea I have is already registered (with 95% of them leading to a parking page untouched for years except to pay the bill). Feels like we just need more names available and I don't see how else we could get them.
The implication that gTLDs are bad and new ones shouldn't be introduced because of this is a bit silly to me.
That wasn't what the article stated. The article stated that the problem is that the new TLDs are so cheap as to be disposable, and the registration requirements are lax. The combination makes them attractive to criminals.
It's literally the first sentence of the article:
"Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds."
The problem is the new gTLDs don't increase the useful supply of domains.
For casual usage like personal blogs and whatnot? Sure, use whatever.
But if I was starting a web-based business and couldn't afford the .com? I'd rename the company before I'd use .xyz - if your business takes off the squatters will notice and raise their prices, so the .com will never be cheaper.
If you got an "urgent e-mail" saying your employer needed you to confirm you're legally allowed to work, and they directed you to experianrtw.app - would you go there and send them a photo of your passport?
There are a few options, though. The fact that .io got so popular shows that we are not forever chained to .com. It's just that a lot of the nuTLD options are honestly hilariously bad, most of them are just lame. My personal top picks are ".online" and ".software" with mention to ".network" but they're all WAY too long. I actually use ".cafe" for my personal stuff because it's short and cute. Obviously can't use that for your SV rocketship company though.
Would it have been so hard to sit down and pick a couple short ones - yknow, ones people might actually use?
Unfortunately, .io is now also unsafe with the upcoming transfer away from the UK; another cautionary tale for those considering not getting a .com.
I’ve been seeding government and business forms with a .io email address for years (to counter gmail dominance), and I’m quite concerned about the situation now.
That's because it's a ccTLD, not because it's not dot-com though. The powers that be could very well decide to just promote it to be a gTLD if they wanted to not destroy stuff for no reason. Actual gTLDs aren't susceptible to the same kinds of issues.
Literally, these are arbitrary strings following arbitrary rules. It's time to ditch ICANN and develop a parallel DNS that makes sense for today not the 90s.
Yes they can. They did it before after the Soviet Union broke up and they kept the .su TLD. It's still active. I'd argue that keeping around .io is more important than keeping .su around, seeing how many people and businesses use .io domains.
The Soviet Union ceased to exist. As long as the British Indian Ocean Territory is not breaking up or otherwise dissolving, it still is allocated a ccTLD.
If I got an 'urgent email' I wouldn't go to any domain, I would contact my employer directly and confirm with them before doing anything. The people who would fall for this phishing scam would fall for almost any domain, because it's not about the domain.
Bad example. The requirements to register in .bank are quite rigorous (see https://register.bank/eligibility/). Phishers typically go for TLDs that impose far fewer requirements on their registrars.
The lions share of issues with domains would go away if we made squatting illegal, or at the least, extremely expensive.
Tbh I'm increasingly thinking that just about any speculative instrument in the economy is just grift and drag. If you want to make money, make things. Stop trying to extract rent or exorbitant prices for land, for domains, for PS5s, etc. Feels like 9/10ths of the economy now is nothing but fucking middlemen, when we have a dearth of need of ANY middlemen at all anymore.
>The lions share of issues with domains would go away if we made squatting illegal, or at the least, extremely expensive.
How do you define squatting? Is the owner of nissan.com "squatting" on it because he wouldn't sell to the japanese car company? How much interest do you need in a given domain before it's not squatting?
Then you're squatting. Like if you own turkeyonapig.com and it's literally just a web page with a picture of a turkey sitting on a pig? Not squatting. It's odd but it's clearly doing exactly what it's meant to be doing. If you own turkeyonapig.com and are doing nothing but advertising that fact, and that someone can buy it? Squatting.
> Is the owner of nissan.com "squatting" on it because he wouldn't sell to the japanese car company?
I mean, it depends. One would argue that people going to nissan.com are clearly looking for the Japanese car company, so it's in the public's interest that that domain be sold to them. On the other hand, if someone owns it and is using to run a Nissan fan website? Well I suppose that's trickier, but that would also probably be better suited to something like nissanfans.com.
It's a tricky thing but not impossible to figure out.
>I would argue if you aren't doing some combination of: [...]
cloudflare offers free website hosting and email forwarding, so it's basically free for a squatter to check those boxes.
>I mean, it depends. One would argue that people going to nissan.com are clearly looking for the Japanese car company, so it's in the public's interest that that domain be sold to them.
So you basically want the Kelo v. City of New London decision to be applied to domains as well? You own "erictrump.com" but aren't the president-elect's son? Well tough luck because it's "in the public's interest" that president-elect's son gets it rather than you.
> cloudflare offers free website hosting and email forwarding, so it's basically free for a squatter to check those boxes.
Sure. But it still takes time, or as someone else suggested, a GPT query. Putting literally even the tiniest amount of work in front of squatting will reduce the amount of squatting.
> So you basically want the Kelo v. City of New London decision to be applied to domains as well? You own "erictrump.com" but aren't the president-elect's son? Well tough luck because it's "in the public's interest" that president-elect's son gets it rather than you.
I mean, it is. And putting the phrase in scare quotes isn't a counterpoint.
One could argue in fact that one of the multitude of reasons for the rise of platforms is that it's so hard to find anything on the actual internet, and part of that in turn can be blamed squarely on squatting.
You can boil it down to: are you offering it for sale? If yes, squatting. If not, early bird gets the worm. You should be able to own a domain name and not be required to do anything with it beyond paying the registrar to legitimize your ownership.
I really don't think eliminating domain squatters is some impossible task. you could probably just tax sales of domain names to death (90% sales tax on any resold domain names) to disincentivize it vs registration upkeep costs.
The problem goes way beyond domain squatting. You have a limited resource, say nissan.com, and you have several valid claimants. Who gets to decide what's fair? First past the post? Heaviest pocket book? Biggest stick? Popular acclaim? ...
Is not unique to domains, this is why the world is uts.
I don't intend to solve this problem entirely, just to displace this business model of squatting domains, which is a massive waste of domain space.
First past the post is "good enough" for me if the intrinsic value of the domain to you is greater than the domain registration fee of like 3-10 bucks a month.
There shouldn't be a major reselling market, that would be like if the majority of space in the yellow pages was just advertisements that said "your business ad here!"
The tax would be done by the registrar or ICANN or whatever (although throwing more money at them might increase corruption of their bureaucracy, oh well). You could burn the money for all I care.
If you get caught, the domain is blacklisted. Ownership transfer is public, so there is little incentive for buyers to go with this route.
And you think a domain squatter would be deterred by high pricing and not just point every single domain to a VPS with a „Hey guys buy my domains“ page? Or even just point them to any random IP, since DNS is one of the legitimate uses you named?
> a web page with a picture of a turkey sitting on a pig? Not squatting
GPT/Cursor will create that page for you in 5 min. I bet a NotSquattingAsAService startups will appear which will create the "not squatting" fake site for you for $2.
I mean, that's an improvement in my mind over millions of insipid "BUY THIS DOMAIN!" web pages. At the least the internet would be more interesting?
But also like, then you aren't advertising it for sale. So I'm wondering how many offers you're going to get to sell that domain, which is the point of squatting it.
That's not how most squatting pages are sold. They are registered for sale in places like NameCheap and you can see it directly when you search for domains.
NotSquattingAsAService startups will appear which will create the "not squatting" fake site for you for $2.
That's an improvement. Adding $2 to $5 to the cost of a squatted domain will start to dissuade people who squat on tens of thousands of domains, if they have to suddenly have to pay $20,000 to $50,000 for the not squatting service.
>That's an improvement. Adding $2 to $5 to the cost of a squatted domain will start to dissuade people who squat on tens of thousands of domains
There's no way static site hosting and a email service costs $2-$5 per year per domain, especially for bulk users. Even if we take that price at face value, a .com domain already costs around $10/year. A 20%-50% increase will only change behavior at the margins. It won't make chat.com magically become available, and at best will make some D tier domains available. Ironically the introduction of gTLDs probably had the same effect. Squatting harrisonburgrealty.com is suddenly going to be less profitable when there's harrisonburg.{realty,realestate,realtor,homes,house,place,properties,rent,apartments} available as well.
To be clear, when I said make it cost more, I was thinking more like taxes. Similar to how we should be taxing vacant homes to raise the cost of keeping empty properties and lower the rents in turn.
It doesn't matter if you're just a dude or a corporation, you play by the same rules. There isn't anything to solve here. These problems are solved between those those 2 parties and no one else.
Good Lord. It's in the public's interest it remains this way.
Another person here had it right, companies have been playing with fire with their URL shenanigans. From one time TLDs to abusing tracking parameters. Not to mention browsers in their insane quest to strip useful information out off their UIs, making you CLICK to see who owns the place. Clown world really.
It's not a particularly hard problem. Most countries have rules on what you can use as a business name or register as a trademark. Domain names are just more of the same.
And you don't really own your domain. You are just renting it from whichever authority is responsible for the TLD. If you stop paying, the authority will eventually take it back.
And there are also businesses with identical names. But the basic idea was already established long before the internet. If you have a legitimate claim to a name, you have a legitimate claim to that name. There may be multiple entities with a legitimate claim to a particular name, in which case the first one that used it in a particular context gets to use it in that context. And if you think that someone is using a name you have claimed in a misleading way or acting in bad faith, you can sue them and let the courts decide.
The problem is that as you note, trademarks and company names are not unique, but domain names are required to be unique. So that n to 1 relationship between trademarks/names and domain names intrisically creates problem, how to allocate the domains when there are many equally legitimate pre-existing claimants. This is not solved problem the way you portray it, because domain names have this novel uniqueness requirement.
Of course this raises valid question if using names in this way at all is a good idea. For example telephone system and lots of banking stuff is based on simple numerical identifiers, and lots of countries have also some unique (numerical) identifiers for companies and persons. So there is fairly strong precedent for using assigned ids instead of names when uniqueness/specificity is required. But somehow we have jumped to the conclusion that for example IP addresses would be too confusing to average joe, and in attempt to hide them we have created even more confusing system.
Many countries already solved this problem with their ccTLDs decades ago. It only required taking the established practices and applying them to a new class of names. There are always some edge cases, but domain name assignment is pretty much a solved problem.
If you're starting a new company, squatters are not a real problem. Just pick another name. If your favorite name is so valuable that it's squatted, then it's valuable! The squatter was reserving it for you, the only company that could really make good use of it, instead of some random personal blogger who happened to walk in first and would wasted its high value.
Also, what's the difference between a squatter and a personal blogger?
That's certainly an issue. There have been a number of cases where companies have demanded that people hand over domain that they "where not using". Not using being defined as "does not have a website".
It feels like there should be some way of determining if a domain is actively being used, to combat squatters, but when ever someone tried to make a rule it ends up being something stupid, like not having a website.
Email is one of the easier services to detect; not only does SMTP specify that the server sends a greeting before authentication occurs, but there's also a bunch of DNS records just sitting there in full view. I'd say it's easier to detect real usage with email than with HTTP, because, to my knowledge, nobody runs an MTA just to say 'this domain is for sale' like they do on the Web!
gTLDs don't really solve the problem of running out of domain names any more than doing it yourself like myname-shop.com There are too many gTLDs for anyone to remember so they're really just an arbitrary extension on the 2nd/3rd level name.
Registering a domain is frustrating these days, too many already taken and a lot of them by squatters not even intending to use it. I'd love to see more options personally even if it makes it slightly easier to create a phishing domain. We need better tools than memorizing a domain name to deal with that anyways.