[HN Gopher] Cloudflare loses 22% of its domains in Freenom .tk s...
___________________________________________________________________
Cloudflare loses 22% of its domains in Freenom .tk shutdown
Author : speckx
Score : 255 points
Date : 2024-03-16 12:24 UTC (10 hours ago)
(HTM) web link (www.netcraft.com)
(TXT) w3m dump (www.netcraft.com)
| thangngoc89 wrote:
| Unrelated to the article but seeing .tk brings back many
| memories. As a kid without a bank account let's alone an
| international credit card (VISA/Mastercard), dot.tk is the only
| way to put a website online with your name. I created countless
| of websites with .tk for classmates, school and families.
| captn3m0 wrote:
| I used .co.nr alongside .tk for a while, before moving to
| .co.cc, and then finally managing a way to buy my domain.
| giancarlostoro wrote:
| I think I had co.nr too! I just dont remember if it was like
| .tk or if it was one of those webhosts.
| jszymborski wrote:
| I definitely had a .co.nr domain before a .tk. I think I also
| remember (I was likely 13, so its been a while) that they had
| an "English" test question on the sign up form that read
| something like "A Britney Spears is a:" and one of the
| options was "Hamburger".
|
| Looking back this could have been to slow robots down, but I
| distinctly remember one if the terms being you speak and host
| English content.
|
| Another service I used a lot was " dominosfree" which had a
| bunch of _.gs domains that looked like CC-tlds. I used_.ca.gs
| a lot.
| tamimio wrote:
| Ah, co.cc, the tld that was full of php reverse shells!
| creatonez wrote:
| .co.nr was strange because it put your page inside of an
| iframe and required advertisement of the service.
| 101008 wrote:
| Same here. .tk was the only one back then that allowed you to
| have your own domain name without subdomains. My memory is
| that:
|
| 1. freeserver.com/~userna <- This was the first URl you could
| have, sometimes with something inside another directory
| (freeserver.com/users/u/~usernam).
|
| 2. username.freeserver.com <- This wasn't that bad but it
| didn't look professional. Tripod used to do this.
|
| 3. username.fs.com <-- A service with a short domain that
| provided free subdomains. This was similar to 2 but shorter.
| Some of them allowed you to chose the domian part.
|
| 4. username.tk <-- Among all the free options, this was the
| best one by far.
|
| Then we grew up a bit and started paying domains :')
| giancarlostoro wrote:
| Im trying to remember I think it was 8m.com or something like
| that? Which also let you have stuff like username.8m.com its
| probably gone now.
|
| I also miss tripod, not sure if its still around how it used
| to be. Angelfire comes to mind too.
| moltar wrote:
| Oh ya. I had my first website on 8m.com still available in
| the archives!! Best days!
| davchana wrote:
| Those sites are still up, the control panel is at
| freeservers.com my Site davinder.8m.net is still up after
| 22 years. I chose .net because it was cooler than .com :)
| ljm wrote:
| I remember 20m in the UK, which did basic hosting.
|
| Good times.
| echelon wrote:
| The problem with .tk was that it would inject ads into your
| content. And the whole TLD was filled with low quality spam
| and hacks. I never liked it.
|
| $7/yr for a domain was one of the very first internet
| purchases I made. Then that set me down a path of finding
| free dynamic DNS services. For a short time my website and
| Invision forum were only online when I was, but I felt like
| I'd beaten the advertisers.
| thangngoc89 wrote:
| I remember there was scripts that remove the ads .tk
| injected
| jesprenj wrote:
| I don't remember this. I started using TK domains as a kid
| in 2017 and you set your own nameserver records and they
| didn't serve ads.
| reidrac wrote:
| When I used .tk briefly in 98-99 it was using iframes and
| they injected ads and/or opened pop-ups IIRC.
| echelon wrote:
| This was in the 90's and 00's.
|
| .tk was the only top level domain you could get without
| having to give them payment details or personal
| information.
|
| It was a huge deal at the time for kids, students, and
| spammers.
|
| They made their money by injecting scripts onto your
| pages to display banner ads.
| Unfrozen0688 wrote:
| >kid >2017
|
| fucking hell
| umbra07 wrote:
| I know right! I feel so young.
|
| there are people on this site that were born in the
| previous millennium! :O
| Tijdreiziger wrote:
| How do you do, fellow kids?
|
| (reference: https://cdn.vox-
| cdn.com/thumbor/mO8UICqmeSd97l09w_FgSP1TDPQ=...)
| fragmede wrote:
| oof. We didn't even have the Internet, nevermind Google.
| Kids these days will never even know what it was like pre
| ChatGPT. programming and even just computers alone was
| _hard_ back in the day.
| broast wrote:
| I remember one around the year 2000 that gave you
| yourname.com for free but it would host your site in a
| frameset with a bottom frame serving banner ads. IIRC it was
| called NameZero, but I don't think it lasted long.
| Kye wrote:
| That was definitely NameZero. Their problem was they had no
| way to control what you ran inside your frame, so everyone
| ran a well-distributed code snippet that removed the ad
| frame.
| pests wrote:
| Similar to Angelfire, which only inserted ads into the
| top of .html files, so you just built your entire site as
| .txt files and rely on the browsers "be lenient in what
| you accept" to render it as HTML.
| Semaphor wrote:
| de.vu was popular in Germany for subdomains, I had a few of
| those. Also a .tk one later.
| V__ wrote:
| Yeah, also .de.tf. I just looked it up and my old site is
| on the wayback machine. So many memories.
| tarsinge wrote:
| In France .fr.st was a popular free option
| Biganon wrote:
| Yup, and .fr.fm too
| hnbad wrote:
| de.vu always rubbed me the wrong way because it kinda
| looked/sounded like DVU, a far-right political party that
| eventually merged with the neo-nazi NPD (which, fun fact,
| recently rebranded itself as _Die Heimat_ - Homeland). To
| be fair, the party didn 't have much political relevance
| for most of its history but it did manage to win seats in
| some state ( _Land_ ) parliaments in 1998, 1999, 2003, 2004
| and 2007 so it did come up in the news around the time
| those domains were most popular.
|
| On the other hand, .tk was in my mind mostly associated
| with German hobbyists and piracy. I think my old
| StarCraft/CounterStrike clan had a .tk domain at one point.
| Semaphor wrote:
| Never got the DVU connection, my AoE1/2 clan had .de.vu
| before we got a .de, I also know several other people in
| my class who had one.
|
| On the other hand .tk is more something I remember in
| connection with spam and scam :D
| Bluecobra wrote:
| I recall using *.8k.com because that was one of the shortest
| free *.com options around.
| davchana wrote:
| My site davinder.8m.net is still up after 22 years. Only 2
| years ago I managed to find its password.
| jonathantf2 wrote:
| I remember putting up Minecraft servers under .uk.to, also
| co.cc
| syuil wrote:
| Oh man, this brings back memories from high school!
|
| .tk was a blessing for us.
| lnxg33k1 wrote:
| In italy we had 3000.it
|
| https://web.archive.org/web/20010331143129/http://www.kliman...
|
| SPOILER: I didn't become a webdesigner
| UnlockedSecrets wrote:
| But did you become a webmaster?
| lnxg33k1 wrote:
| Yep webhighmaster :D im a software developer now
| zer00eyz wrote:
| LOL!
|
| On a good day sure, most days I would settle on me being
| a house elf, or dozer...
| lnxg33k1 wrote:
| Dobby! :D
| rightbyte wrote:
| "Copyright (c) by klimato (r) All Right Reserved"
|
| Heh. I remember thinking '(c)' and '(r)' being cool letters.
| I put it on every page since it looked pro. I guess you
| didn't actually register the "brand"?
| lnxg33k1 wrote:
| Naaah i changed dozens of nicknames since then :D
| cqqxo4zV46cp wrote:
| God. I'd forgotten all about .tk until reading this comment.
| What an amazing time.
| tamimio wrote:
| I remember flexing on my friends that the google site I had got
| a proper name with .tk!
| xeromal wrote:
| I remember in the early 90s telling Mom that I built my own
| website. Mom was like noway that's impossible. I can't remember
| exactly where it was but it was like zoogatyler1.go.com or
| something. I think it was owned by Disney? I must have been
| around 7 or 8 but I remember being so excited. I think it was
| more of a homepage than anything. I started delving into those
| .tk sites when I was around 11 or 12 probably.
| stef25 wrote:
| I launched one on a compuserve domain (I think) around the
| same time. Built it with FrontPage Express that came for free
| on a cd with a magazine my dad bought. Day after I launched
| it I had like 20 emails from random people with questions &
| comments about the site, crazy. Build it and they will come
| was def a thing.
|
| Later on in the UK I put a site on a madasafish domain.
| atum47 wrote:
| I used to host my websites wherever and then having a redirect
| to it. Two I remember was pagina.de/dr.enima (roughly
| translates to site of dr.enigma, my nickname back then) and
| i.am/supermatrix - a website dedicated to the movie the matrix
| which I love.
|
| I think both of those pages were hosted in geocities and had
| pretty long urls...
| atum47 wrote:
| If i recall correctly, i use frames with size 0 on the top
| and 100% on the bottom, making that annoying banner invisible
| wnevets wrote:
| I remember switching to cjb.net because you could get free
| wildcard email accounts for your domain.
| a1o wrote:
| Now that is a name I haven't heard in a long time. I had a
| Dragon Ball Z website using that domain, feels so long ago.
| p3rls wrote:
| It's interesting seeing it parallels the problems with .tks
| today-- I remember using cjb.net to make my own LOVE@AOL
| websites and phish AOL users telling them that a crush liked
| their account. Easiest money a 12 year old ever made.
| xyst wrote:
| same - I remember hosting a small web server from a crappy pc
| at my parents house and using a .tk to serve the site.
|
| Probably not the smartest thing to do at the time since I may
| have opened up all ports on the router to get it to work, lol.
| No https. No security. No moderation. Copy and pasted some html
| from a site that I thought was cool, search and replaced text
| to make it my own.
|
| It was kind of like a microblog before twitter, fb, ig,
| blogspot, tumblr.
| accrual wrote:
| My favorite was .uni.cc, I had a couple of those free domains
| back in the day.
| chomp wrote:
| Thank god, .tk caused so many headaches for us, truly a cesspit
| of a tld. The rate of fraud and abuse on our platform was
| staggeringly high from it, it was close 99%.
| jackblemming wrote:
| You think that fraud is just going to go away because .tk is
| gone?
| jamespo wrote:
| probably not, but very little of value has been lost
| dlachausse wrote:
| I would disagree, I remember as a kid in the late 90s being
| able to host a website on one of the free hosting providers
| and then pairing it with a free domain name just made the
| whole thing that much more special. $10 or so a year for a
| paid domain name isn't a ton of money, but it can be for a
| kid with no credit cards and parents that aren't convinced
| as to why you "need" a domain name.
| bombcar wrote:
| The problem is that "free for kids" is also "free for
| scammers" and it's hard to square that circle.
| kdmccormick wrote:
| Would be really cool if public schools provided a free
| domain and basic hosting for any interested middle/high
| school student.
| cube00 wrote:
| Good luck considering we can't even pay teachers
| properly.
| kdmccormick wrote:
| Cost would be negligible compared to a teacher's salary.
|
| (1 teacher / 20 students) * ($50k / teacher-yr) = $2500
| per student per year to fund teacher salary.
|
| Compare that to $40/yr domain+hosting, which maybe 10% of
| students will use. $4/student-yr will not be the diffence
| between paying teachers probably or not.
| lxgr wrote:
| That budget only works if you don't care about content
| moderation or abuse management at all - or did you expect
| teachers to just do that on the side?
| where-group-by wrote:
| I don't think that would be a good idea. It would
| introduce an admin burden on the schools related to
| moderating/monitoring the sites. And they would more than
| likely overstep in one way or another, when enforcing
| their rules.
| kdmccormick wrote:
| I was thinking state-administered. Public school
| enrollment would just be the precondition to access the
| program.
|
| But sure, yeah, there'd be some admin time spent managing
| it. As with anything, there are plenty of reasons not to
| do it. It struck me as a low cost-to-impact ratio thing
| that could get kids into tech, but reasonable minds could
| disagree.
| bombcar wrote:
| The only way it would work is if it was literally handled
| by the government, and the associated 1st amendment rules
| applied (so it wouldn't be moderated unless it was
| actually shut down by a court case).
|
| It would result in rampant wildness and people
| complaining, but if you didn't do it that way the burden
| would be too high.
| lxgr wrote:
| Another way of looking at this is that scammers can
| probably afford to spend $5-10 on a TLD since it's just a
| cost of doing "business" to them, but many kids can't.
|
| I was very happy about free TLDs back in the day as a
| teenager, since I could just try things out before having
| to convince my parents to let me use their credit card to
| register a proper domain name.
| Caligatio wrote:
| It's infinitely easier to spend $0 vs $0.01 if you're
| trying to be anonymous online. The criminals can
| certainly afford it but that also almost certainly means
| interacting with financial systems that leave a paper
| trail.
| lxgr wrote:
| I doubt that that's any kind of obstacle to criminals.
|
| At a quick glance, many registrars and hosters seem to
| accept crypto, and anyone can buy prepaid Visa and
| Mastercard cards anonymously for cash for the ones that
| don't.
| knodi wrote:
| we're not in the 90s anymore. Many free subdomains
| options such as gitpages or full on free app (heroku)
| exists now.
| eszed wrote:
| It would follow that Cloudflare is tacitly admitting they have
| been / are hosting a large number of domains used for fraud and
| abuse. That surprises me, given the time and effort they spend
| mitigating fraud and abuse. Anyone care to explain what I'm
| missing?
| Alifatisk wrote:
| Shouldn't be a surprise, there is a tight relationship
| between Cloudflare and the booter community. I remember every
| booter site or similar was always behind Cloudflare, I think
| it was a common practice because it didn't seem like
| Cloudflare cared about these abusive sites.
| KomoD wrote:
| > That surprises me, given the time and effort they spend
| mitigating fraud and abuse
|
| What time? What mitigations?
|
| Cloudflare will proxy anything and then tell you "we're just
| a proxy, so we wont do anything lol" when you report anything
| other than cf pages. Doesn't matter if it's terror groups,
| animal torture, piracy, doxing, far right groups, etc.
|
| I have personally submitted abuse reports and seen that
| absolutely nothing happens.
|
| Oh and also the amount of abuse I see from people using
| Cloudflare Warp is also very high.
| eszed wrote:
| I was thinking particularly about the DDoS protections they
| advertise (and explain in lovely technical posts on this
| site). So you're saying that they protect their network
| from others, whilst disregarding harms their clients cause
| to others. That was something I was missing, so I thank
| you.
| michaelt wrote:
| Before cloudflare, it was difficult to run a DDoS-for-
| hire service because competing services would all DDoS
| each others' websites. Back when CDNs were all "call for
| pricing" affairs.
|
| Cloudflare had the insight that the more DDoS-for-hire
| services there were out there, the greater the demand for
| their services. Offering free DDoS protection to DDoS-
| for-hire services helps keep customers coming back for
| more.
| derefr wrote:
| > Before cloudflare, it was difficult to run a DDoS-for-
| hire service because competing services would all DDoS
| each others' websites.
|
| I mean, you don't need websites to advertise. Most DDoS-
| for-hire services back before 2009 advertised on IRC,
| NNTP, via ads in .NFO files found in warez releases found
| on Kazaa and BitTorrent, and so forth. (Some of the very
| tech-headed ones ones had Freenet sites.)
| gadders wrote:
| They've definitely refused to help far right sites and
| sites like Kiwi Farms.
| KomoD wrote:
| Yeah, because of the pressure after it all blew up. They
| even said in their own blog post that it was an
| "extraordinary" decision and did not believe terminating
| them was appropriate.
|
| Kiwi Farms used their services for at least 6 years
| before anything happened.
| chx wrote:
| And all that pressure was for naught because it's still
| available right on the clearweb :'(
| lapsed_pacifist wrote:
| This is a good thing. Turn that :'( into a :)
| immibis wrote:
| Is it? Currently giving 502 Bad Gateway. Seems like
| they're having hosting troubles.
| KomoD wrote:
| Yes, outage right now.
| lxgr wrote:
| > the amount of abuse I see from people using Cloudflare
| Warp is also very high.
|
| More so than from "traditional" VPNs (i.e. the ones
| claiming to keep "no logs and never selling your data")?
|
| That's quite surprising, since Cloudflare makes no such
| promises and markets Warp as a security/performance
| improvement tool, not an anonymity-providing one. I think
| at least for a while, Cloudflare-hosted sites would even
| bypass it entirely and they'd get the real underlying
| client IP.
| KomoD wrote:
| > More so than from "traditional" VPNs (i.e. the ones
| claiming to keep "no logs and never selling your data")?
|
| Yes, because it is a free service, an easy and free way
| to just hide your ip address. You don't even need an
| account.
|
| > I think at least for a while, Cloudflare-hosted sites
| would even bypass it entirely and they'd get the real
| underlying client IP.
|
| Correct, this used to be the case, but no longer is as
| far as I can tell. But even with that, it was an issue
| for non-Cloudflare websites and services that are being
| attacked that aren't HTTP(S) (e.g. SSH)
| lxgr wrote:
| Ah, I haven't been following it closely. Thank you! Just
| found a blog post on that architectural change:
| https://blog.cloudflare.com/geoexit-improving-warp-user-
| expe...
|
| Are they responsive at all to abuse notifications about
| their VPN users? Presumably the only thing they could
| even do is to block an upstream IP address, given that it
| doesn't require an account.
| derefr wrote:
| Depends on what you're trying to achieve, I think.
|
| Cloudflare's policy is that if there's ToU-violating
| content being served through a Cloudflare-proxied domain,
| you can report it to _request de-anonymization of the
| domain_ , so that you can then reach out to the actual
| host.
|
| I've reported Cloudflare-proxied phishing-site clones of my
| company's website to Cloudflare, and they've usually come
| back to me with a pointer to the upstream-origin's ASN/ISP
| to reach out to within a few hours.
| beanjuiceII wrote:
| sell the problem and the solution, good business
| Retr0id wrote:
| Cloudflare's business model is largely reliant on the
| internet being filled with abuse.
| johnklos wrote:
| If you try to find evidence that Cloudflare mitigates fraud
| and abuse, you'll mostly find anecdotal evidence (sites that
| have been attacked and moved to Cloudflare, mostly) plus
| information and claims provided by Cloudflare, which is
| unverifiable. The problem is that nobody protects us, the
| Internet, from Cloudflare.
|
| Cloudflare will happily take money from and host (yes, host -
| they host, in spite of their rather stupid and completely
| disingenuous assertions that they don't) spammers and
| scammers. They do all the time, and they have no intention of
| changing that any time soon.
|
| If you forward phishing spam to abuse@cloudflare.com, guess
| what? Nothing happens. You get an automated response, but
| they do nothing about it. They expect you to visit a web page
| that has all sorts of intentional problems (intentional
| because they've been pointed out to Cloudflare and Cloudflare
| hasn't addressed them for years) that make the process
| arduous and time consuming. For one, they don't have "spam"
| as an abuse type. For another, even though they now literally
| host web content, and even though they're a domain registrar,
| if you don't paste in a URL pointing to a site hosted by
| their proxying product, then you can't submit your form. This
| means there's literally no way to complain to Cloudflare
| about domains for which Cloudflare is in WHOIS and SOA
| records, and for whom Cloudflare hosts DNS. The fields are
| limited to some particular size (2,000 characters? I forget
| exactly), and have issues where if you paste more than a
| certain amount of content but less than the hard limit, you
| can't submit the form. If you try to use the form more than
| once a minute or two, IT'S RATE LIMITED and you can't submit
| the form. Imagine that - they need to protect themselves from
| human-speed abuse reporting.
|
| In other words, it's REALLY hard to use their site to report
| abuse to them, and they know this, and it's intentional,
| unless we want to believe that they just suck at
| understanding how to make a web page that works.
|
| If they get enough complaints about a given phishing domain,
| they eventually take action, but it'd be after several days,
| which is more than the lifetime of a typical phishing
| campaign. In essence Cloudflare is one of the most popular
| phishing and spam-promoted hosting platforms because of
| Cloudflare's intentional foot dragging and claims to want to
| "protect free speech".
|
| They got on my shit list years ago when they told me - not
| kidding - that they couldn't just take down a Bank of America
| phishing site when it was pointed out to them because of
| "free speech". In other words, they don't want to set a
| precedent where they can apply the tiniest modicum of common
| sense and take down phishing sites which any reasonable human
| on the planet can unambiguously recognize as fraud.
|
| Bottom line: Cloudflare tells the world that there's SO much
| bad stuff out there, and you'll get in trouble if you don't
| use their products, and that's mostly true if you want to run
| phishing and spam-promoted web sites, so scammers and
| spammers use Cloudflare and are protected from those of us
| who would report those spammers and scammers.
|
| For all the companies and individuals who use Cloudflare,
| many are fooled in to thinking they need Cloudflare when they
| don't and are just making their sites problematic for much of
| the non-western world while helping a wanna-be monopoly re-
| centralize the Internet around a for-profit company that has
| a history of profiting from scammers and spammers.
|
| If anyone thinks Cloudflare legitimately protects the
| Internet by mitigating fraud and abuse, I'd be very
| interested to see evidence that doesn't come from Cloudflare
| that shows this.
| RyeCombinator wrote:
| What are some other viable options?
| johnklos wrote:
| 1) not using DoS / DDoS protection, or using any number
| of hosting services that have this built in, or using a
| service that doesn't marginalize large parts of the world
| in the name of "security". DoS / DDoS attacks are not as
| common as Cloudflare would want you to believe.
|
| 2) use literally any other registrar / DNS service /
| hosting platform. You then won't need to worry about
| whether people all over the world will be getting
| CAPTCHAs on ever visit because of where they live or what
| browser they choose to use.
| Tijdreiziger wrote:
| They don't only offer DDoS protection, but also a WAF
| (Web Application Firewall), and if you run commodity
| software, attacks are very common.
|
| I know this because I manage a WordPress site fronted by
| a different WAF, and I can see in the logs that malicious
| bots are trying to pwn the site basically 24/7.
|
| (and before you say 'patches' - yes, but defense in depth
| is a thing, and you don't always have the luxury of
| vendors with good security practices.)
| johnklos wrote:
| Yes, Wordpress is attacked incessantly. It's designed to
| be actively hostile to security, so yes, a firewall that
| helps ameliorate is a good thing.
|
| However, if you really care about Wordpress security, a
| WAF is just covering things up, and yes, you need to
| patch (but that's not really the fix). The proper fix is
| to reconfigure things to not follow Wordpress' absolutely
| ridiculous security. While patching depends on vendors,
| securing Wordpress from its own hubris doesn't depend on
| vendors.
|
| But even where Cloudflare's products are arguably good,
| they still do too much in my opinion to marginalize non-
| mainstream visitors and to re-centralize the Internet
| around one big company. Every time they have issues, huge
| parts of the Internet are affected. If I wanted a WAF,
| I'd get it from elsewhere.
| NicoJuicy wrote:
| They don't host the domain. Hosting happens somewhere else.
|
| Which is where the crackdown should happen.
| jlarocco wrote:
| I've heard people bring up that problem before. On one hand
| they protect sites from DDOS attacks and bad actors, but on
| the other hand they help keep the bad actors online.
|
| If there's no abuse, nobody will pay their protection money.
| saghm wrote:
| It seems at least plausible to me that either there would be
| even more fraud and abuse than there already is without the
| time and effort to mitigate it, or that maybe their
| mitigation is not as effective as they'd like. This isn't
| meant to contradict the other theories being posted here; I
| don't really have any experience specific to this area, so
| it's possible I'm just being naive.
| Tijdreiziger wrote:
| Yeah, I find this whole thread a bit odd. Cloudflare has
| been a highly regarded service for years, and suddenly
| people are blaming them of running a protection racket,
| without providing a single source or piece of evidence (or
| a presumably more ethical alternative, for that matter)?
|
| As they say, extraordinary claims require extraordinary
| evidence...
| creatonez wrote:
| If .tk was such a clear signal for abuse, isn't it a bad thing
| that signal no longer exists?
|
| I'd rather ICANN finally introduce .free, give a few years to
| alert everyone, and those developing spam filters can treat it
| how they want.
| estebarb wrote:
| Oh, that is why I wasn't able to renew some domains I have used
| for 10+ years. I'm not even able to upgrade to paid domain.
|
| I don't think it will help reducing malware/scams/phishing. But
| it will hurt students and young people that want to start in en
| development and aren't able to pay for a domain.
| wizzwizz4 wrote:
| We still have https://nic.eu.org/ and
| https://freedns.afraid.org/ .
| 8organicbits wrote:
| There's a couple more options too:
| https://free.wdh.gg/#/?id=domains
| dazld wrote:
| For students, a few of the GitHub Education Student Pack
| partners offer free domains for a year.
|
| https://www.name.com/partner/github-students
|
| https://get.tech/github-student-developer-pack
|
| https://nc.me/
| dlachausse wrote:
| Another prominent .tk domain is for the Tcl programming language
| (tcl.tk) and I just checked, that is one of the paid .tk domains
| that are still up.
| overstay8930 wrote:
| Why do orgs feel the need to use these whacky TLDs
|
| I'm still of the fence with rust using .rs in important places
| which is fundamentally in control of the Serbian government.
| You're going to have to trust the Serbian government with
| signing .rs DNSSSEC at minimum and I don't.
| dlachausse wrote:
| In TCL's case it's a fun play on Tcl/Tk, which is how it is
| often referred to when including its famous GUI toolkit.
| Fnoord wrote:
| Remnant of a time when the Internet was new and geeks would
| buy all kind of fun domains with odd TLDs.
| bdcravens wrote:
| "new"? I don't remember seeing many of the "odd TLDs" for
| sale until the web had been around 10-15 years.
| Fnoord wrote:
| Not the TLDs themselves the creative use of them.
|
| I started on the Internet in the (mid) 90s. Back then, it
| was already common among security conscious folks. A bit
| later, end 90s, you could buy a shell account for a
| couple of USD per month. You could run a BNC on it, or
| IRC client. It had various IPv4 with reverse DNS, this
| was called vhost. For example, you could end up with
| I.pwned.the.whole.eu.org and plays where TLD was part of
| word. Goatse.cx for example reads 'goatsex', Slashdot.org
| reads 'slashdotdotorg' or
| 'httpcolonslashslashslashdotdotorg', the founder of first
| Dutch consumer ISP Xs4all Rop Gonggrijp had gonggri.jp
| for ages (guess his email address). There are countless
| of examples.
| rvnx wrote:
| Because all .com are already taken and available only after
| you pay ransom money.
| bdcravens wrote:
| Then use descriptive product names, not cute single words
| that are being used by 47 other products.
| yau8edq12i wrote:
| Who do you trust?
| mcfedr wrote:
| Not a bunch of pro Russia mafia
| overstay8930 wrote:
| Any of the OG TLD's, I wouldn't tie my domain to anything
| political at all outside of the US.
|
| You already have to implicitly trust the US government when
| it comes to anything internet-related as all of the
| critical infrastructure is, whether you like it or not,
| American, so you might as well set up shop within US
| control.
| pmdr wrote:
| I think .so is an even whackier choice and people are rushing
| to it. Why notion.com redirects to notion.so is beyond me.
| Probably couldn't buy it and pay only for a redirect?
| api_or_ipa wrote:
| To be perfectly fair, the list of DNSSEC cock-ups is
| staggering. .nz ccTLD was taken down, IIRC, for 4 days after
| a bad KSK rollover just last year. I've seen prominent
| registrars with 'automated' DNSSEC fail to upload correct
| NSEC and RRSIGs. It's not uncommon to see .gov domains go
| down because of DNSSEC. You'd think all these entities should
| get it right, but they don't. Probably why many major tech
| domains such as google.com don't use DNSSEC.
|
| But to your point, using a 'off-brand' can really hurt
| sometimes. `.af` might be a cute marketing tactic, but it's
| actually Afghanistan, and the Taliban play by a different
| rulebook. I believe it was `gay.af` that found that out the
| hard way. Tons of other stories.
| blacksqr wrote:
| The TCL maintainers switched their main URL to tcl-lang.org a
| while back because Freenom was so unreliable, although they've
| continued to serve tcl.tk as well with crossed fingers.
|
| I really hope Tokelau chooses a reputable registrar going
| forward, and .tk becomes usable for serious people.
| smrtinsert wrote:
| Ah nostalgic for tcl.
| toddmorey wrote:
| I get .tk was popular because it was free and you do need a home
| for your website that's portable across providers (not like a
| .netlify.app sub).
|
| But like we learned from .af, any of these TLDs technically meant
| for a country need to be considered ephemeral. You are sort of
| borrowing it without explicit (or lasting) permission.
| samtho wrote:
| > You are sort of borrowing it without explicit (or lasting)
| permission.
|
| To be fair, this is true of all domains. The broader concern
| with ccTLDs is this borrowing dynamic layered with whatever
| geopolitical situation the country is in, how stable the
| administering authority is with respect to the current regime,
| or just the political forces at work within the country that
| may lead to changes or requirements for the ccTLD within the
| country are registered. There is often a concern of DNS
| infrastructure and local bandwidth considerations for the data
| center in which the root nameservers are housed, assuming they
| are not outsourcing that.
| CydeWeys wrote:
| It's not true of gTLDs though. You actually own those
| domains, and they can't be taken away from you (barring
| extreme circumstances) so long as you pay the registration
| fees every year. But domains on ccTLDs can be taken away from
| you by the government at any time for any reason.
| genewitch wrote:
| I gotta say i find it extremely hard to believe that one
| can "own" a domain. This sounds like hand-waving. We don't
| own software, we barely own computers (to do with what we
| want), we don't own media.
|
| Is this like "one can own land" but really that's
| asterisked with Eminent Domain (no pun intended)?
| overstay8930 wrote:
| The people complaining that Cloudflare hosts these criminals
| would be the first ones complaining that Cloudflare has too much
| power when taking down websites it doesn't like.
|
| You can't win with these people, I personally think this is the
| best outcome and shows our systems work (albeit slowly). Sure it
| took a while, but now there doesn't have to be a precedent of
| Cloudflare acting as the internet police more than it has to.
| lolinder wrote:
| > You can't win with these people
|
| This is the classic fallacy of assuming that because you see
| comments of type A and comments of type B on the same forum
| that means they're the same people. They're usually not.
|
| A more accurate way to phrase this is "you can't win with ...
| people". Whatever you do will end up ticking off some subset of
| the population.
| mypastself wrote:
| "These people" is presumably a set of people quick to find
| fault in anything a corporation does, which could be a
| superset of those two groups. Not sure what kind of fallacy
| that's supposed to be.
| kortilla wrote:
| Those people are in the noise and nobody cares what they
| think once they realize they just criticize for the sake of
| it.
|
| That doesn't change that people seem to think the top
| upvoted comments being contradictory from day to day
| represents some kind of inconsistency in the views of the
| commenters on this site.
| __s wrote:
| intersection, not superset
| mathgradthrow wrote:
| Your evidence for the non-emptiness of this set of people
| is the fallacy above
| explain wrote:
| Not the same people at all.
| AlienRobot wrote:
| This seems like such a weird problem to me. If they're
| criminals, just send the cops? If you can't send the cops, then
| they aren't criminals?
|
| How do you end up in this limbo where you need critical
| infrastructure to play judge?
| lolinder wrote:
| The internet is a global system that spans ~all
| jurisdictions, and most internet criminals live in
| jurisdictions that don't prosecute internet crimes as long as
| the bad actors leave citizens of their own country alone.
|
| So they're criminals as far as the US and allies are
| concerned, but de facto not criminals where they live. If
| they're going to be locked out of the system, it has to be by
| the infrastructure, because their government has no interest
| in stopping them.
| AlienRobot wrote:
| I see. Perhaps there should be a legal framework to get the
| government to demand companies like cloudflare stop serving
| these international criminals, then. That way it wouldn't
| depend on a private entity making the judgement.
|
| Do you ever think it's weird that we have gone through web
| 1.0, web 2.0, semantic web, intertubes clogged with spam
| bots, web 3.0: crypto edition, and the dawn of AI scraping,
| and we still haven't figured out these issues?
| Caligatio wrote:
| Which government do you mean when you say "the
| government"? Any national government? Only the US
| government? Only governments in which the US is friendly
| and/or has agreements with?
|
| Would you want authoritarian governments to be able to
| demand Cloudflare stop serving those they consider
| criminals that are outside their borders?
|
| International law is messy.
| toast0 wrote:
| The rule of thumb is governments where Cloudflare has
| equipment, personel, or banking.
|
| There is a procedure to get a foreign case recognized in
| the US, too, but it has to be serious, and it's not an
| easy process.
| Caligatio wrote:
| CloudFlare has equipment in 120+ countries, including
| China: https://www.cloudflare.com/network/
|
| I again ask: is it desirable for any of those countries
| to be able to unilaterally force a company to enforce its
| laws regardless of where the individual in question is?
| toast0 wrote:
| If the equipment is in country X, it seems reasonable to
| enforce the rules of country X. Plenty of companies
| refuse to operate in specific countries, including China,
| because they don't want to follow rules of that country.
|
| If CloudFlare chooses to do business in China, that's a
| choice they're making and it comes with consequences.
|
| Maybe they can offer service where customers will only be
| served from equipment outside of China, maybe that's not
| something they choose.
| immibis wrote:
| For starters, Cloudflare is a USA company so it has to do
| whatever the USA government tells it. See National
| Security Letters.
|
| They can easily order it to reveal the origin server of a
| website, or the sign-up IP address of the account, or to
| stop providing services to one.
| newaccount74 wrote:
| Cloudflare shields criminals from cops. They do so because of
| "free speech" or whatever. There was recently a story about a
| swatting victim, who tried to get the forum the swatters use
| to shut down. Cloud flare refused to give the identity of the
| criminals, the case even went to court and the victim lost
| and now apparently has to pay court costs.
|
| Our legal system is unfortunately not perfect, which is why
| it matters what infrastructure providers do.
|
| Do they enable criminals by shielding them from the police?
| Or do they have policies in place that prevent abuse of their
| service?
|
| With Cloudflare, I'm pretty sure they lean towards the
| former.
| ehutch79 wrote:
| I'm reasonably sure cloudflare would comply with any
| subpoenas / warrants sent their way.
| derefr wrote:
| Which is a catch-22, because subpoenas / warrants for
| collection of digital information have to name a specific
| intended target (a real legal identity under suspicion,
| not some pseudonym) -- and "the real legal identity of
| the suspect" is exactly the thing that Cloudflare's
| proxy-shielding prevents you from learning. Courts won't
| act until they have some specific individual to act
| _toward_.
|
| (This is also why, whenever you hear about e.g. police
| stings on Tor forums, they never mention requesting
| courts to issue warrants to ISPs for collection of e.g.
| traffic-analysis-correlation info about locations of
| servers hosting illegal content. Instead, this de-
| anonymization step is something they always have to
| achieve extra-judicially, usually by contracting a
| private network threat intelligence firm.)
| mcfedr wrote:
| Obviously with no context but what I hear
|
| Is the website illegal? Or maybe the police need to deal
| with spam calls more sensibly. Presumably they can trace
| where the calls are coming from in real life
| internetter wrote:
| wait, are you mad cloudflare decided _not_ to be an active
| participant in a doxxing campaign? Swatting is awful but I
| 'm inclined to side with cloudflare here.
| newaccount74 wrote:
| I'm mad that they offer anonymity to criminals. If you
| offer a service that lets people hide their identity, you
| ought to perform a bit of due diligence.
| hnbad wrote:
| Are you American? Because that sounds like such an American
| idea of how the world works.
|
| To answer your question: most malware actors can be traced
| back to Russia, what exactly do you think "sending the cops"
| after them will accomplish and if the answer is "nothing",
| then does that mean you don't think they can be called
| criminals?
| AlienRobot wrote:
| It doesn't need to be physical cops. What I mean is that if
| crimes are being committed, the legal system should
| initiate a process that either puts them in jail (which as
| you say may not be possible) or ends up with cloudflare
| banning and other internet companies blacklisting them.
| That way, the burden of judging criminality isn't on random
| companies but on the appropriate authorities.
| stef25 wrote:
| Who you going to send to an online pharmacy hosted say in
| Egypt?
| caskstrength wrote:
| Why do you need to take down Egyptian pharmacy in the first
| place?
| iopq wrote:
| Because they send controlled substances to the US and
| falsely label them as "supplements"
|
| I know, because I bought RX stuff from India and it did
| not get labelled as medication
| lxgr wrote:
| What criminals are you referring to? The operators of .tk, or
| their users?
| mobilemidget wrote:
| There are tons of shady websites hiding behind cloudflare's
| services. Some used .tk domains too but just in general, many
| shady websites are hiding behind Cloudflare and at least I
| know from personal experience if you contact cloud flare
| about it, they pretend not to be home.
|
| "We do not host the website" was always there response, while
| that is perhaps technically true, arguing if they shut down
| the reverse proxying for that website it would be at least
| offline, never worked.
| lxgr wrote:
| Cloudflare is a US company. If they provide hosting (or
| reverse proxying; I don't think there's a material legal
| difference) services for anything illegal under US law,
| shouldn't it be possible to compel them to stop doing that
| through the legal system?
|
| And if this is about not-illegal-but-objectionable content,
| I'm actually glad that as an infrastructure company,
| they're choosing to not get into the business of content
| moderation.
| internetter wrote:
| > if this is about not-illegal-but-objectionable content,
| I'm actually glad that as an infrastructure company,
| they're choosing to not get into the business of content
| moderation.
|
| Agreed. There's one other subset you didn't mention:
| "Clearly illegal but not yet handled in the court of
| law". Cloudflare again has a pretty hardline stance that
| "the courts need to come to us and force us to take it
| down"
| diggan wrote:
| > Clearly illegal but not yet handled in the court of law
|
| Isn't that somewhat of an oxymoron? What are some
| examples of something that is against the law but not
| handled by the courts of law?
| dingnuts wrote:
| Maybe that commentator lives in a country without common
| law, so precedent doesn't matter, but in a country like
| the US a law without precedent is considered "untried"
| and a lot of the details are worked out when the law is
| first enforced.
|
| If the legislature doesn't like the court's
| interpretation, they can then amend the law and the
| process restarts.
|
| So basically, at least in the US, nothing is clearly
| illegal until it is handled by a court -- so yes I think
| you're right
| lxgr wrote:
| If it's clearly illegal, what prevents it from being
| handled in any court of law? If it's not actually as
| clear, preemptive/overzealous compliance can lead to all
| kinds of undesirable (in a liberal democracy) effects.
|
| I also doubt that Cloudflare lets every single analogous
| issue bubble up to a full court case every single time,
| but for new/unclear/borderline scenarios, I'm glad that
| courts don't get to outsource their duty, i.e.
| determining the legality of actions, to a for-profit
| organization without public oversight.
| caskstrength wrote:
| > Cloudflare again has a pretty hardline stance that "the
| courts need to come to us and force us to take it down"
|
| "Hardline"? To me it seems like quite reasonable approach
| as opposed to "we will just take down anything someone on
| Twitter didn't like".
| newaccount74 wrote:
| It's not reasonable. 99% of scams, frauds and harassment
| will never be subject of legal action, because there just
| aren't enough prosecutors out there to charge every fraud
| attempt.
|
| If you require a court ruling before blocking a fraud, it
| means you will keep hosting 99% of frauds.
| costco wrote:
| They can. You can also subpoena them for information on
| an account, there are literally lawyers with blogs
| talking about how to do this. The people complaining
| essentially think that they should have the right to take
| anything they want down with an abuse report.
| stef25 wrote:
| A while back there was an interview with someone at
| Cloudflare and they were asked what about these Al Qaeda
| sites you guys are in front of, dude just answered "no
| comment". Seems that at the time they didn't ask many
| questions at all, like you said cause they don't want to
| go in to content moderation.
| 0x0000000 wrote:
| > The people complaining that Cloudflare hosts these criminals
| would be the first ones complaining that Cloudflare has too
| much power when taking down websites it doesn't like.
|
| It'd be interesting if you could point to a single example of
| someone taking both sides. I strongly doubt these are the same
| people.
| overstay8930 wrote:
| If you're asking me to personally identify someone, no I'm
| not going to do that. However if you want to see some
| hilarious hypocrisy, go ahead and see who said what when
| Cloudflare banned 8chan.
| akira2501 wrote:
| > You can't win with these people
|
| People who want to live in a just world often get in the way of
| things. I'm just not sure why you're mad at those who want
| justice and not those who put profits above all else?
|
| > that Cloudflare hosts these criminals
|
| Oh.. it's not that they host them, it's that they go out of
| their way to protect them, and the profit streams associated
| with them.
| thih9 wrote:
| The article presents this as a loss - but cloudflare has a free
| tier, do we know if these were paid accounts? If cloudflare
| weren't going to convert these users then this could be a gain.
| PokestarFan wrote:
| If the users were using free domains instead of paying for a
| domain do you think they'd use paid cloudflare? The cost of a
| domain is so much lower than the cost of Cloudflare.
| thih9 wrote:
| I don't know and that's why I'm asking. Not paying for a
| domain is not a reason enough to expect not paying for
| cloudflare - these are different services. Also note that
| even not paying for cloudflare is not enough - I asked
| whether cloudflare intended to convert that segment.
| sltkr wrote:
| I could at least imagine a scenario along the lines of:
| penniless college student creates a site at a .tk domain.
| Later, the student gets a job so he is no longer penniless,
| and meanwhile, his site actually becomes popular, so he signs
| up for cloudflare, maybe even registers a .com domain, but
| keeps the .tk domain alive because that's where most his
| traffic is coming from.
|
| Not sure how common that is. But I don't think it's a given
| that all sites hosted on .tk domains are unwilling to pay,
| especially not if you consider that they must be somewhat
| popular if they need a CDN.
|
| (The sort of personal homepage that most of us had back in
| the 90s would never need a CDN because it would get 5 hits
| per week.)
| ChrisArchitect wrote:
| Is there any other connection to Cloudflare? I thought maybe they
| were using the .cf domain for their own stuff or something. ;)
| bastawhiz wrote:
| > The affected domains represent a big loss for Cloudflare, with
| .tk, .cf and .gq previously accounting for 23.1% of all domains
| hosted on its platform - and nearly all of these have now gone.
|
| I'm not sure in what way this is a "loss". I doubt cloudflare is
| losing money (or revenue) here. Especially if many of these
| domains are spammy, it seems like this is probably not much of
| anything for them.
| jacurtis wrote:
| This was my thought while reading this. Overall I think this is
| a net-win for CloudFlare. I suspect that exactly 0.00% of the
| 12.6 million domains they just "lost" were paying customers.
| Considering the people didn't want to pay for a domain, they
| probably weren't paying for a CDN either.
|
| I'm sure Cloudflare will be able to wipe away their tears of
| this loss using the extra dollar bills they have from reducing
| their bandwidth costs.
| ncruces wrote:
| I had a free website on .tk
|
| When it because moderately successful, they didn't renew, and
| then wanted 50EUR/year.
| nicrtt wrote:
| Ahhh, the memories :)
|
| Understandable, but a loss all the same. I'll never forget how
| proud I felt as a kid when I first had a URL I could give to
| people.
| dancemethis wrote:
| Tangentially, Cloudflare REALLY needs to start supporting
| transferring .moe domains already.
| znpy wrote:
| Uh... if anybody has a legitimate .tk domain, how does one keep
| it alive?
| qingcharles wrote:
| I used to pay for mine. They were sold through resellers if you
| wanted to keep it. One advantage of .tk is that they supported
| emoji domains.
| jacurtis wrote:
| I'm sure CloudFlare is just reeling from this "loss" of 12.3
| Million unpaid customers.
|
| I hope the CEO doesn't drink too much tequila tonight during the
| celebrations
| zoklet-enjoyer wrote:
| My friends and I used cjb.net for our anime website
___________________________________________________________________
(page generated 2024-03-16 23:01 UTC)