I'm curious how you feel about CloudFlare as a registrar not allowing GitBook to use an external root nameserver.
Being forcibly stuck on CloudFlare's own nameservers only sounds very nefarious, and isn't a limitation I've ever heard of with any other registrar. For instance, it would break my tooling that uses my host's APIs to control DNS records through their nameserver.
I'd be very appreciative if eastdakota or jgrahamc could elaborate on what possible reasoning there is for this restriction as well.
Cloudflare sells the domain at cost. I think the idea is that its an extra service meant for their customers, not a service for the general public. As they are a DNS provider, their customers will use cloudflare nameservers. If they didn't, they would no longer be customers.
That does make sense. If I were using Cloudflare I suppose it would be a no-brainer, and if I were Cloudflare and didn't want people not routing their traffic through me on my registrar, that would be an excellent way to discourage it. If they're forced to offer to everyone as part of being a registrar, then the combination of all of the above is my answer. Thanks!
Exactly, huge red flag. Google domains it's risky because they can ban your entire Google account including personal Gmail and any linked business ones. Can be pretty bad I'd say.
I'd like to interrupt all the sanctimonious blathering in this thread to note that Cloudflare domain registration terms and conditions are almost a verbatim copy of Google's, and includes the same unilateral cancellation clause for phishing.
Cloudflare: "Cloudflare and Registry Operator may deny, cancel, suspend, transfer, redirect or modify the Registrar Services or a Registration, or place any domain name(s) on lock, hold or similar status, as either deems necessary, in the unlimited and sole discretion of either Cloudflare ... for distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law."
Google: "We may in our sole discretion, deny, suspend or cancel any registration or transaction, or place any domain name(s) on registry lock, hold or similar status if ... engaging in spam, phishing, or other deceptive practices."
I think the primary issue with Google Domains here is not that they have these kinds of terms, but that they enforced them in a particularly incompetent way. The original report of the phishing site was over a week old and had already been resolved, when google shut down the domain. Hopefully the people at Cloudflare are a bit better at their jobs.
Oh, I don't know that we have enough unbiased information to conclude what you concluded. One of the first comments posted in this thread today was "Is it related to the countless phishing pages hosted on your service?" from which we can deduce that the phishing problem on Gitbook is well-known to random members of the public.
The topic at hand is where to move a domain out to, and whether said company is one that can be relied upon to act ethically and responsibly. I don't see the difference.
I thought Cloudflare was more about saying "we were wrong to try to be the world's speech police, and will never again bow to public pressure and take away DDOS from literal Nazis" and then taking down 8chan and other literal Nazis anyway because of public pressure.
Think you should investigate other options such as the known brand protection/domain asset management companies (MarkMonitor, CSC, easyDNS or their European equivalents)
EDIT: I see you're moving to Cloudflare, but I wish you the best of luck
How did you arrive at choosing Cloudflare? It's clear Google Domains has broken processes not conducive to running a business centered on user content. How do you know Cloudflare does not suffer from similar broken processes?
I doubt CloudFlare Registrar would be better in terms of customer support—unless said customer has an Enterprise plan—as their prices are just the registry + ICANN fee, no surcharge for them to make money.
Doesn't seem conducive to great customer support, but maybe I'm wrong cause I've never had to contact them.
As a former domain registrar, I would get the authcode, unlock the domains, and transfer them away as soon as possible. It's been a while since I read the RAA (https://www.icann.org/resources/pages/approved-with-specs-20...), but it's rather extraordinary to put a domain on clientHold, which is what I assume they did to you, outside of non-payment or some kind of legal dispute.
I'd be interested to know what this heavy handed policy was, assuming Google Domains gave you that information. I hope it wasn't something egregious or frivolous as I've seen with other parts of their organisation.
I don't understand why you got downvoted. Google's customer support is notoriously non-existent (perhaps except for stuff that brings in money like AdWords). They admit themselves that it's a business decision: https://www.seroundtable.com/google-support-staff-limits-139...
Because it's about as helpful as saying "you shouldn't have moved to Los Santos if you value safety" to someone who's bleeding on the street having just been mugged.
The same message could also be worded more like "once you get past this, I'm sure you're already considering moving registrars. But please let us know if the support you're receiving from them is as bad as (my experience / reputation / etc.)".
Or better yet, "here is a reputable site reviewing registrars for reliability and customer service" (I don't know if there is such a site, there really should, but it's unclear how it would make money).
According to whois, google.com, amazon.com, github.com, microsoft.com, netflix.com, reddit.com, baidu.com, youtube.com, twitch.tv and wikipedia.org all use MarkMonitor [1]
apple.com, twitter.com and ocado.com use CSC Corporate Domains [2]
I have no idea what such services charge, but they're all "call for pricing" and none of those companies would blink at spending $10k/year on their domains.
Not every well known brand uses such a service, though. bbc.com uses tucows, stackoverflow.com uses name.com and ycombinator.com uses gandi. facebook.com uses RegistrarSafe, a subsidiary of themselves, and almost every domain registrar is registered with themselves.
At my last job, we called MarkMonitor after NetworkSolutions' lack of admin security got our domain hijacked. I don't remeber the prices exactly, and I'm sure they've changed, but from what I recall, the per domain year prices were about 10x normal prices, like $100/year for .com, but they also had a mininum annual spend of I think $10k/year; to get the 'super lock' domain service was about $1000/year available on a small selection of TLDs. They were also pretty dismissive on the first call until they looked us up and you could hear the dollar signs spinning in their eyes. They were very easy to work with and professional after that though. This was while they were owned by Thompson-Reuters, they've since been sold to private equity.
Google.com was registered long before Google Domains was created. Lots of other more modern Google domains---even .google ones---are registered with MarkMonitor as well. Google Domains doesn't compete with MarkMonitor for large businesses with extremely valuable domains.
That to me is a downside since that means that that is not a core part of their business. Financially, it makes no difference to them if I use their service or not.
I would rather pay a little extra to a company that has domain registration as a core part of their business and actually makes a profit from me.
And domain names are cheap. Even if you pay twice as much as the cheapest service, it still will not make any difference in your bottom line.
The counter is it's also risky to use a company that only does Domain Registration since it's a very low margin business and thus the risk for them shuttering is higher -- or they'll try to make it up with various erroneous fees
I know the concern of putting all your eggs in one basket is real, but since CF's business is literally to take over your domain DNS and slap on some add-on services, adding domain registration in-house seems like a good fit.
> The counter is it's also risky to use a company that only does Domain Registration since it's a very low margin business and thus the risk for them shuttering is higher
You can avoid this issue by going with a registrar that focuses on bulk domain sales (eg. internet.bs in my case, but there are more, like eNom I think?), as they have a high-enough volume that they can easily stay afloat even when charging reasonable prices and without aggressive upsells.
It's mostly the consumer-focused "$1 for the first year" registrars like GoDaddy that you want to stay away from. Those are the really problematic ones.
> but since CF's business is literally to take over your domain DNS and slap on some add-on services, adding domain registration in-house seems like a good fit.
Sure, if you want to send all the traffic of all of your users through a man-in-the-middle US-based company with a very dubious past and a questionable business model revolving around basically centralizing the internet.
It's not a great recommendation to make. It also raises the question of why they seem intent on killing off the registrar market by offering "at cost" (which honestly isn't much lower than what aforementioned internet.bs charges anyway).
How about mixing the two? Buy your domain at the cheapest registrar you can find. Pay for 9 years. Then as soon as you can transfer to some registrar you have more long term confidence in. You might have to purchase another year there to do this.
Net result: You get the domain at your preferred registrar, but you get 90% of the savings you would have got if you had it at the cheap register.
Ah yes that's true, I always seem to group .io in with the new crowd of TLDs in the sense that it became trendy "recently"; and I only mentioned .io domains since GitBook uses one, "gitbook.io".
.io isn't just "Indian Ocean", it is British Indian Ocean Territory. The location of the Diego Garcia military base (jointly operated by US and UK). The British expelled its indigenous population (the Chagossians) to make way for the US military. The territory is claimed by Mauritius, and the International Court of Justice in 2019 ruled (in a non-binding opinion) that the UKs separation of the territory from Mauritius was unlawful.
Some random British company convinced IANA to let it run the .io domain for their own profit. Their operation of it has nothing to do with the interests of its exiled inhabitants (the Chagossians), the British territorial and military authorities, or the US military presence which constitutes the the territory's raison d'etre.
I think it likely that, one of these days, something is going to happen to the .IO ccTLD operators. Their rights to it are very dubious, and someone else (the British government, the government of Mauritius, the Chagossians) could end up wresting it from them.
What makes me uneasy about Cloudflare's registrar service is they force the use of Cloudflare's nameservers unless you have an "Enterprise" plan (paying a monthly fee for what amounts for some registry EPP calls?!) and given how they sell at cost I can't imagine the customer support in case of similar issues to this being good.
> Namecheap dumping personal info without informing their customer
Something similar happened to me – Namecheap dumped the wrong (private) information into WHOIS immediately after a redesign of their systems. It definitely was not user error.
Dealing with Namecheap's customer support to try to resolve this was possibly the worst customer support experience I've had in 20+ years in the tech industry. Lots of lies about getting back to me the next day, passing the buck, blaming everybody but themselves, extended periods of flat-out ignoring me, and eventually a complete inability to fix it.
I've been a happy user of Hover ever since, but I'm unable to recommend them – ironically because nothing has ever gone wrong with them. I used to recommend Namecheap until that nightmare happened, then I found out just how shockingly useless they are when it comes to customer support and privacy. Ever since, I only recommend services where something has gone wrong so that I know they are capable of resolving problems well. I regret ever recommending Namecheap and don't want to make the same mistake again.
I have used hover for years and quite like them. The customer support was awesome when I had an issue with getting a .com.au domain setup for a business. Australia has some extra requirements for domains that I wasn't familiar with. I also like to have my domains separate from everything else so if I move hosts/email providers it's easy.
They have their own accreditation for .COM/.NET/.ORG/.INFO/.CA (and maybe a few others) else they fallback to Tucows OpenSRS system, which is decent except in the case of needing advanced features like DNSSEC (for certain TLDs) where they seemingly have a "Half Life 3" type schedule of deploying new features
Cloudflare Registrar had some issues at one point but they had more to do with a broken system that assumed the domain was purchased elsewhere than anything else, if I remember correctly. Their support apparently handled that case very well.
I haven't used them personally, but I've read a ton of rave reviews about gandi.net. Namecheap also talks a good talk, and Cloudflare has a good reputation.
GoDaddy answers their phones with real people, but they are completely powerless to actually help you. You can escalate all the way to the office of the CEO (who doesn't answer their phones) and they won't lift a finger to help you. I had been a customer for over ten years with several domains, and they still wouldn't help me with a three-figure billing error. What kind of business fights a decade-long customer over an interest rounding error for them?
Because 99% of people don't realise that their domain registrar holds the keys to their business's entire internet presence.
They can switch off your website/email at any time, with no real consequences apart from a little bit of bad PR if you have enough social media followers or post in the right forums where their staff hang out.
They can also do a shitty job of securing your domain, and let it get stolen/hijacked. The attacker then gets to set up their own MX records and collect all the password reset emails they triggered on every other important site, and pretty much own anything you doin't have 2FA set up on.
Anyone who doesn't think customer support from their business domain registrar is a thing worth paying for, most likely hasn't evaluated the risks properly.
That may be true for a given service, but I'd wager closer to 99% of people have used customer support for something in the past. It'd be foolish to disregard it when you know you've needed it before, even if not for that same service category.
Aside from the Google domain issue (which is obviously a problem) -- why on earth would GitBook be hosting user-generated content under their corporate gitbook.com domain?
The registrar issue is one problem here -- but I don't see this addressed in their post-mortem. I thought this was a well-known issue. You don't host user-generated content on the same domain that handles your corporate email. Because things like this can and do happen, so you want to make sure that your company isn't also down while you're busy fixing a problem with your customers.
I know the exposure risks are different, but isn't this is one of the reasons why Github moved hosting Github Pages content to github.io from their primary github.com site? Or why raw data is hosted from githubusercontent.com (in addition to mitigating cookie security issues).
The registrar was an issue that was largely out of their hands. But this was something that they could control. And I think it's something that is missing from their post-mortem. If they had split their domains, then while serving user-content was disrupted, accepting users to gitbook.com and their email (!?!?) would have still been working. Also, depending on if they had a 3rd domain for hosting their CDN, users that had custom domains would also have been protected.This goes along with the idea that you don't use email from your primary domain (cto@gitbook.com) to register your domain (gitbook.com). Or host your status page on the same infrastructure as your site.
If I were them, after migrating registrars, this would be the next engineering change I'd make.
(Maybe they do this, I don't know enough about GitBook to know. But based on the thread here, I don't think they do, or at least it isn't mentioned in their post-mortem that I saw.)
We don't host user content under the gitbook.com, or at least we've stopped doing it a few years ago.
User content is stored under *.gitbook.io, similar to GitHub.
Google blocked all domains that contained "gitbook" in our account, even ones that are used for some infrastructure and are not accessible by the public. We don't know the exact reason for this, maybe they've blocked gitbook.com because we still have some redirect for content that was hosted under it years ago.
And yes we are going to make changes to host our status page under another domain.
That’s really important to add to the story! I think that makes the rest of the story more troubling. Especially knowing that domains unrelated to the apparent user phishing code were affected.
You might think of adding it to the post-mortem doc so that others don’t assume what I did.
why on earth would GitBook be hosting user-generated content under their corporate gitbook.com domain?
You mean like news.ycombinator.com, nytimes.com, facebook.com or most blogs or forums ever created?
Also their entire business is serving user domains so if that goes down customers don't care about their marketing site, though the email vanishing would be annoying. What's to stop google doing this with any regular domain with user comments or content though?
I blame the registrar - having heard this horror story I'd never host with google domains.
Does it really make it less of a problem if they had a separate domain for corporate and it was only the user content going down? Serving user content can as well be part of a service’s core product and registrar induced downtime is a big enough problem.
Building and running anti-abuse tech works in proportion to the money put in. Can a small player really compete with Google’s anti-abuse investments? No. Save for a couple of exceptions, this means Google could always find abusive user content in its clients’ domains that the clients themselves couldn’t catch. I am not suggesting small players should be able to freeride Google’s anti-abuse capabilities, but if leads to enforcement and downtime of this sort, there needs to be a better protocol for the client to be able to respond or it paints a very anti-competitive picture.
> Does it really make it less of a problem if they had a separate domain for corporate and it was only the user content going down? Serving user content can as well be part of a service’s core product and registrar induced downtime is a big enough problem.
Yes, it really does. Not losing your ability to receive email will help resolve the problem.
> Serving user content can as well be part of a service’s core product and registrar induced downtime is a big enough problem.
If that is the case, then choosing a registrar that provides quality, timely and responsive support when dealing abusive content complaints should be on the top of your priorities.
> Building and running anti-abuse tech works in proportion to the money put in. Can a small player really compete with Google’s anti-abuse investments?
In this case the small company did find the content first through their own anti-abuse systems.
I'm not sure how this become anti-competitive. Google may have a monopoly on many things, but DNS registry is definitely not one of them.
> Not losing your ability to receive email will help resolve the problem.
Sure, I'm trying to prevent this stealing focus from the fact that this shouldn't have been a problem to begin with. The argument for separation is not made for defending against a SLA limitation or some other technical reason. It is made to accommodate a faulty policy problem. It is equal to saying "best practice: all big-co domains users should have corporate and production domain separation in case big-co's policy layer messes up. oh well". I'd rather see big-co held accountable not to mess up.
> If that is the case, then choosing a registrar that provides quality, timely and responsive support when dealing abusive content complaints should be on the top of your priorities.
Hindsight is perfect, while those qualities are rarely perfectly symmetrical information. "They should have known this could have happened" sounds like victim blaming to me. They were entitled to reasonable policies and reasonable application of those policies.
> I'm not sure how this become anti-competitive
Monopoly is not the only machinery of anti-competition. Creating a landscape demanding anti-abuse parity is essentially creating a barrier of entry. They are going to cloudflare next but there is no telling a similar scenario won't happen. It is important to call out the potential of big-co's putting capital-intensive demands on little players to participate in the web.
Github.com is their corporate site, hosts their application, and is how we all interact with repositories (via https or git://). But, the only data you get from that site has been processed through their application and sanitized.
The only way to get access to the raw user-generated data is through raw.githubusercontent.com or Github Pages which hosted on github.io. And the data from raw.githubusercontent.com has the MIME types set so that you don't get HTML rendered -- only the raw plaintext (I think).
So, in this specific example, if there was someone hosting a phishing site in a github account, it would have been active only through github.io, not the main github.com site. (You could have likely seen the source code from the main site, but it would not have actually generated an HTML form).
That’s exactly what they are doing, too. Google effectively shut down github.com for the issues in github.io that didn’t exist anymore, in your example.
Not all of it. Any bug attachments which don't have previews are served from https://github.com directly, for example.
Here, I uploaded that image from the other day that crashes some phones. I gzipped it so it wouldn't generate a preview, and attached it to a bug. When you click the "github.com" link, it downloads the file, and (at least with my web browser) uncompresses it and opens it with your default application. It's bit-for-bit the same as what I uploaded.
I'm aware, but I could just as easily see a lesser registrar getting confused by an abuse report and suspending github.com because it embeds content from githubusercontent.com.
I can say from experience that moving content to a different domain without breaking things for users can be atrociously difficult. So if you make a mistake in how you split domains in the beginning, it can be very expensive to rectify later. Can you imagine going to all your customers and saying "you know all those links you have to example.com? You're going to have to change all of them to point to example.org now."
They _should_ split their domains, and given this recent issue, it would make sense for them to prioritize that. But, well, easier said than done.
I imagine it will be painful to split their domains. But, I was surprised to see that wasn't mentioned in their post-mortem. Even if they didn't plan on doing it, I think that it would have made sense to mention.
I imagine their main paying customers would start demanding this change though. They are probably using a custom domain, so whatever domain GitBook chooses to use should be irrelevant for them (in theory, but in practice, who knows...).
Could you imagine if "youtube.com" were blocked and locked by IANA/ICANN/? because of reports that somebody posted a video with misinformation and phishing content?
I don't expect google appreciates how devastating this, but that would change quite immediately if it happened to them.
It's almost as if, while the laws and policies and regulations are supposed to be the same for all, giant entities with huge amounts of money and power behind them are held to a different standard than everyone else. I can't say I'm surprised.
There's a parade of apologists who will quickly pop up to say that a private company platform should not be held to any free speech standard since they're not a government, never mind how much power they wield in practice.
What about when it is the government taking down a domain for hosting illegal or copyrighted content? What happens when you give the government enough power to take down a domain for political dissent? The problem you mention isn't with Google, it is with how TLDs and domain registrars work in the first place.
> sent to an e-mail address on a domain they had just suspended...
I've always assumed that:
1. When creating your account at the registrar you should use an email address that is not at any domain you will be registering through or transferring to them,
2. The contact information you give for your WHOIS records (or if using a WHOIS privacy guard service, the contact information you give them to forward to) should use an email address at a different domain,
3. If you use a DNS provider other than your registrar the contact email address they have for you should not be a domain using them for DNS, and
4. Same for whatever hosts your email.
The general principle is that the contact method that a service provider will use to contact you if there is a problem with your account or service with them should not depend on the account being in good standing and the service working.
The biggest hoster of phishing sites is Google.[1] Here's a list of major sites which have live entries in PhishTank.[2] Hosting phishing sites on Google Drive is very popular.
Many of those are long gone, but PhishTank hasn't cleaned them out, so they're still listed.
To be fair, every platform which allows user-generated HTML pages suffers massively from phishing and most of them don't deal with it very well: Google, Microsoft, smaller players like Codebox and countless others. Then there's phishing on Dropbox, phishing on Google Forms, OneDrive, etc. Then you have phishing at all the various hosters like DigitalOcean, CloudFlare, etc. Even there you'll sometimes have IPs which have hosting phishing pages for various brands for a long time. It's not an isolated problem. Some deal with it more aggressively, true, but the pace and ease with which phishing can be stood up and modified makes it a whac-a-mole. Plus, the expectation is that most phishing pages will only be active for a few hours before being taken down and/or detected, so phishers pump out new ones on a constant basis.
I run the service at https://urlscan.io which tracks phishing and frequently run into these cases which render any kind of black/whitelisting impossible. Imagine Microsoft phishing hosted on Microsoft domains and infrastructure. Here's a fun search which will return lots of phishing on windows[.]net and googleapis[.]com: https://urlscan.io/search/#page.domain%3A(googleapis.com%20O...
> To be fair, every platform which allows user-generated HTML pages suffers massively from phishing
The big difference here is that all the other platforms struggling (and failing too often) to prevent themselves being used as phishing hosting - aren't then turning around and hypocritically taking other platform's entire internet presence offline for doing so.
Google here are acting in the roles of judge and executioner, while being the biggest offender of the same crime.
Google tends to be at the top of that list, though. It wasn't always. When I first started doing that, MSN was on top, usually followed by Yahoo. For a while, Google Sheets were being used for phishing. You can put HTML in a spreadsheet cell, apparently.
I used to contact nonprofits and small businesses which showed up on that list. Inevitably,they'd had a break-in. With some nagging, I could cut the size of the list in half.
Google Domains locked my domains at renewal time and refused to renew them until I provided proof of identity in the form of a scanned government ID -AND- a scanned copy of the credit card.
Coupled with the horror stories of non-existent support, the first thing I did was move my domains out this month.
I've kinda given up, and use Route53 for everything, on the grounds that if I managed to piss AWS off enough for them too take my domain names down, all my infrastructure will probably vanish to, so having someone else manage to keep my zone files up will not be of any use anyway...
It's got all my eggs in one basket - but solving that problem is a much bigger task that just picking a different domain registrar... (And I sometimes wonder if my blue-sky cloud-agnostic dreams would all come crumbling down if I even managed to implement then anyway - if whatever went wrong that pissed AWS off enough for them to shut me down got shared with and/or triggered the same reaction at Azure/Google/DO/whoever...)
This mirrors my experience with google support, even as a paying gsuite customer. I lost a YouTube channel and wasn’t given any option to restore it. Their advice was to just re upload all the content and forget about view counts and old links that would no longer work.
I'm going through issues with G Suite as an admin. They randomly blocked my account falsely accusing me of sending spam. I can't even access the help support team sicne I can't login to the system.
This is completely insane - there's absolutely no legitimate reason for Google to lock you out of your account, even if you were sending spam emails. Disable your ability to send new emails, maybe. Lock you out of your email inbox, maybe. But completely prevent you from accessing your account, and therefore even appealing? Inexcusable.
Had major problems with a trial. Firstly it would just redirect back to the admin console if I hit gmail. Support couldn’t fix it.
Also you can’t give anyone access to YouTube (!) for 60 days after signing up or paying $30 in credit. Which is no good because when you pay them £30 fuck all happens. And again support were useless.
Happy O365 customer now. And I’ve used support which was excellent.
Honestly I've tried everything and can't find any support pages. In order to get support you need to login to admin console on G Suite, well how the heck am I supposed to do that if I can't login to begin with? This is the generic https://imgur.com/a/lgRby50 page I get. It's been almost a week and a half, more than 5 business days, and I haven't heard back from my request to restore my account.
The problem is that they have my data and my credit card for this G Suite account.
I don't know if it would work these days, but I'd go down to their offices with a sign saying "I need help with my account" and march in front of their office. Be calm and civil and maybe you'll get some where. Or maybe there's a phone number on your credit card bill / that you can get from your credit card charges.
Same, and don't get me started on Ad-sense, kicked out by Google who claimed I was clicking on my own ads?!? They owe me tons on money, they know it because they sent me a stupid voucher at my home address to spend it on double-click, LOL... it was 14 years ago.
Since then every-time I have the opportunity I strongly oppose any business I work with to move to any Google cloud service and I was pretty convincing so far in large corporations, and I will continue to do so.
I have a simple rule when using Google services (including paid ones) - be ready to lose access without a moment's notice. Unless you are an enterprise customer or can reach out to Google employees when things go horribly wrong, you are at the mercy of their automated systems.
As other posters have pointed out, hope they have a plan to migrate their domains elsewhere.
For the record: if you don't want this to happen to your site, you should avoid Dynadot also.
Several years ago I ran into almost exactly the same issue with them after someone sent them a frivolous abuse report - they'd locked down my domain unannounced to the point that I couldn't even transfer it out, and it took a call from a journalist(!) inquiring about the suspension before they were willing to unlock it for transfer.
I've been using internet.bs for most of my domains since and haven't had any issues with them - they let me know when an abuse report comes in, and give me the time to handle it. There are probably other registrars that are fine too, but I don't have personal experience with them.
Same. I bought a few .app names when they came out, but I'm transferring the rest away. It's not even the threat of someone accidentally locking something that concerns me, but the fact that Google is now so big that, like a black hole, all information is pulled in and none can escape, including (effectively nonexistent or incompetent) support.
Support who? Government has power to take down any domain, especially TLDs and registrars in the US. People should be supporting decentralized DNS and name servers if they want to be safe from takedowns.
Makes me wonder if they don't understand user-generated content, if Google Domains is more meant for small personal sites maybe?
I used to use a hosting company that had in their terms, that profanity wasn't allowed... The company seemed to have decent hardware, user interfaces and US based support too but ran by Mormons based in the beautiful state of Utah. I don't have much of a opinion of Mormons but I think pushing religious views on your customers is bad business.
So after noticing that in their terms I was curious since I run a personal WordPress blog, if someone wrote a comment even if it wasn't approved just by being in the database if it broke their terms and was told yes... Now that I'm a bit older, I wonder if they really are scanning database table text fields for swearwords or that support rep misunderstood what I meant... But after that discussion, I switched my domain and hosting elsewhere, two separate companies actually instead of just one account with both domain and hosting. If some spam bot or troll writes the F word, they are going to take my entire site down even if no fault of my own? Yeah, no thanks.
They got acquired though by a lot larger company and doesn't seem to have those same terms now though, and heard they now outsource their support. There was someone I used to talk to who was a big fan of them though and referred me. So slightly over a decade later, they are probably not even remotely the same company anymore though since merged with a much larger company. Wouldn't surprise me if they ended up getting rid of a lot of support staff and just kept a handful of people to manage the datacenter, since marketing, accounting, support, etc would probably be centralized between all the hosting companies they own I'd imagine, which is probably a blow to the local areas when they merged unfortunately. I guess that's one of the sad things about getting bigger, they lose that small town friendly startup feel probably as seemed like a great company other than forcing religious views on people. Just did some more research about their company, sounds like they were also anti-lgbt too sadly. Makes me wonder how many other people working their share those views or just something management was pushing down since looks like the church changed their policy last year... I've been wanting to go somewhere with more opportunities, and actually Salt Lake City is one of the areas I've been considering since seems like a bit bigger city and on the list as a place for upcoming startups.
The exact same has happened with CodeSandbox, Google Domains had blocked our csb.dev (internal domain) and csb.app (domain for projects) without any warnings. It took us two days (of downtime!) to get them to lift the block. But then after 3 weeks, they did the exact same thing! They blocked us again for reports without warning. Luckily we had a fallback domain so that there was not much service disruption, but it was extremely frustrating working with them on this.
After 3 sudden blocks from them, they now give us a warning before they're planning to block us, but it took many calls before we got to that stage.
... Which is again why I would never use Google for any business application. These stories happen all the time.
"I built my business on Google Cloud / Android / Google Apps / Youtube / etc. I was flagged by an automated system. There was no human to speak to (at least one competent or empowered to do anything), and my business is now gone."
Some of these go viral on social media, and Google then fixes them. Some don't.
Support channels built on only having an impact if things go viral aren't what I'll build my business on.
Having just moved 3 personal domains -> into google domains you can imagine I find this quite concerning.
I wonder how the domain registry community at large feels about this? ICANN exists, domains are subject to a legal agreement with ICANN, and it has customer-protection concerns surely?
I can tell you about my experiences with Namecheap when I used fake WHOIS info for my privacy and someone reported me.
Their support staff said that due to ICANN policy, they must have accurate WHOIS info, so they have changed my WHOIS information but also added WhoisGuard to the domain so the details are not visible unless someone gets a Panama court order.
Well, the real question is whether you have full control over the content posted on those domains. If you do, you should be fine, but the lesson is you should never host anything with user-generated content on Google Domains.
Are they conflating domain registrars and DNS hosting? Did Google Domains block their domain at the registry level, like removing the NS records from roots? Or did they block is at the domain DNS level, like not resolving queries to Google nameservers for the domain?
I don't expect many startups or big companies use Google Domains for DNS hosting. AWS Route 53, Google Cloud DNS, or dedicated DNS hosting would be used for that. But I expect it is fairly common for startups to use Google Domains for domain registration.
I don't think it should be registrar's duty to shut domains down.
Gitbook appears to use CloudFlare to host DNS, and likely to use their CDN/proxy, which makes them the actual "host" of the content. If there is any phishing, they should be the ones responsible.
The post says even their email was down. I'm deciding to not use Google Domains anymore.
You know, this is interesting. Google is taking something close to an editorial stance here - it is clear that they take action against their customers based on content on their sites.
Some might consider that sites with controversial content who use Google as their registrar and not taken down are considered reviewed-and-OK by Google.
Others might start pressuring Google to expand the nature of content they find unacceptable.
And yet others might try pressuring them to expand their policing - who knows how many bad actors could be shut down with Gmail monitoring?
Phishing is not "controversial." It's illegal, and it undermines the principle of informed consent that meaningful freedom requires. Even if Google isn't legally obligated to take down phishing domains, I refuse to be so anal as to complain about it. It is everybody's job to make the internet safe and usable.
Too bad Google does a terrible job of it. No way am I signing up for a Google Domain in the future.
The point is not whether it is reasonable to do so or not; I agree that phishing sites should go.
The point is that there is a large lobby out there for knocking different types of content offline, and they don't show much concern for whether their demands also seem reasonable.
Most registrars feel they should not be in the content policing or law enforcement business. Google volunteering to do it in one area that makes sense opens the door for pressure to do it in other areas that make less sense.
Yeah, there’s nothing wrong with taking down phishing sites. The problem is when you misapply the restriction and take down a whole domain of a platform.
A month or so ago, I was setting up a new system for writing internal-ish documentation and made the rather unpopular decision to not go with Gitbook because it was too reliant on their servers for my taste. Today, I got to send a very satisfying "told you so" the the team chat.
To be clear, I think the Gitbook team actually handled this very well and it wasn't their fault, but it does illustrate very clearly why we shouldn't be relying on cloud services when we really don't need to.
I’m surprised how few people in this space aren’t packaging their apps up for on-prem customers.
* Fewer security and compliance hurdles when its on our own infra.
* Perfect uptime because it’s our responsibility. (Not saying we’re better but outages are our fault and don’t make you look bad)
* Fewer hurdles when integrating LDAP and friends. There’s no need for the weird “connectors” that companies come up with.
* We’ll pay you more for the privilege of hosting it ourselves.
* Giving us access to the code in a shared source model buys you an extreme amount of lock-in since once we start tweaking our fork for our needs we’re not leaving.
* The support burden is higher, sure but if it’s your most expensive enterprise tier you’ll almost always be working with a professional IT team.
* We’re the easiest crowd to up sell and we’ll even pay you to develop features you can sell to other people.
I don’t want to make it seem like selling in enterprise isn’t a slog but it’s a good business to be in.
The one surprising aspect about google domains - it is not integrated into Google cloud.. they are two separate products while AWS domain registration is part of aws cloud
Unlike Amazon, Google has more domain-related services than just Cloud - i.e. Analytics, Sites, Places, etc - which is probably why it's still independent.
Just out of curiosity- when Google is infamous for hard-to-reach human support, what in the Internet would make anyone interested to register their domain with them? Do they provide some sort of security or insurance that I am unaware of?
All the popular dedicated domain registrars I have used so far have excellent human support. Godaddy, namecheap, namesilo to name a few. I don't know if big companies or corporate use something more to secure their domain names and DNS, do they?
> Just out of curiosity- when Google is infamous for hard-to-reach human support, what in the Internet would make anyone interested to register their domain with them?
I think that, despite what frequenting HN may make you think, most people using Google's services - even the more complex or paid ones - aren't aware of the problems with support.
I moved/consolidated from GoDaddy and 101domain to Google Domains because of the support I've gotten from Google in the past (on Nexus/Pixel devices, Apps, Fiber, Fi, Stadia, etc).
I always assume the people complaining about nonexistent support from Google are trying to get support for something they aren't paying for. You pay for Domains, and the support reflects that. You probably can't get support for getting locked out of a consumer Gmail account or help uploading a YouTube video.
As a paying G Suite customer, all of my support experiences have been horrendous, including trying to unlock an employee’s account that was locked for “spam”.
The support agent couldn’t do a single thing but tell me to wait for the possibly robotic appeals process.
You can transfer a domain with no downtime. The name servers will remain during the transfer, so as long as your DNS isn't dependent on the domain registrar, you'll be fine.
If you are using the registrar's built-in DNS hosting, move away from this first, which can also be done with no downtime.
According to the postmortem they had removed the site in question a week back. Google was acting on a week old data.
Besides, any user-content serving platform will have to deal with malicious users. It is not a perfect process, especially against bot traffic. Shutting down the whole domain was very heavy handed.
I'll say it was. I can't believe they shut them down for content that had been removed over a week prior.
I realize some things take time, but the onus is on them to do a final verification before flipping the switch to shut down an entire business(!)
Google is "saving money" on support costs while simultaneously destroying their brand image (at least among the tech crowd). It will be near impossible for them to re-earn that goodwill. It's such ridiculously short sighted thinking.
I'm moving off of G-Suite this week. This is the final straw.
Automatically detecting phishing sites is surprisingly hard to do reliably. The only thing you can really do is rely on flagging and human verification.
I've seen domains like google5[.]$tld which contained a fake Google Login form, up for close to an hour with zero detects in VirusTotal and no detection by Google Safe Browsing itself. If Google fails at detecting phishing against their own brand, what chances do smaller shops realistically have? Here's the example I mentioned: https://twitter.com/urlscanio/status/1178043405529763841
Our production domains (gitbook.com and gitbook.io) have been blocked and locked by our registrar (Google Domains).
None of our infrastructure is impacted, all user content and databases are safe; our domains simply blocked by a heavy handed policy.
As mentioned on Twitter, we are all hands working with Google to fix this issues ASAP. We'll then share an in-depth post-mortem
https://twitter.com/GitBookStatus/status/1268554857411227648