ryan87
Established Member
- Impact
- 445
I'd like to know if any Namepros members know of any other registries doing this.
There's an interesting thread on Hacker News today. It links to a blog post with a warning about RADIX's misplaced confidence in Google's Safe Browsing blacklist. The OP shows correspondence from RADIX about a suspended domain:
This exchange demonstrates a failure in the domain system that poses a risk to registrants. I'll explain why, but first it's important to understand how the safe browsing blacklist works.
Google populates the safe browsing blacklist, at least in part, with heuristic analysis that's prone to false positives. That link is an example of heuristic analysis, not a claim that specific process is prone to false positives. Put more bluntly, regardless of the cause, at times Google will make false statements about the safety of a domain and put safe domains onto the blacklist. When this happens, site visitors will see the "red screen of death" along with a warning that it's dangerous to visit the site.
Immich, along with self-hoster's of Immich, had their domains blacklisted via false positives several months ago. My primary, 25 year old, family domain that I rely on for my digital life was one of them, so I've experienced it first hand. Some things that I observed while dealing with it:
This leaves registrants in an impossible situation where the registry wants them to appeal the blacklisting by Google before DNS will be reinstated, but Google won't accept an appeal without domain verification that relies on working DNS.
In my opinion, the domain industry has two failures here:
Obliterating a domain with serverHold and having a circular dependency that makes it impossible for the registrant to recover is a quite a bit of collateral damage IMO.
There's an interesting thread on Hacker News today. It links to a blog post with a warning about RADIX's misplaced confidence in Google's Safe Browsing blacklist. The OP shows correspondence from RADIX about a suspended domain:
This exchange demonstrates a failure in the domain system that poses a risk to registrants. I'll explain why, but first it's important to understand how the safe browsing blacklist works.
Google populates the safe browsing blacklist, at least in part, with heuristic analysis that's prone to false positives. That link is an example of heuristic analysis, not a claim that specific process is prone to false positives. Put more bluntly, regardless of the cause, at times Google will make false statements about the safety of a domain and put safe domains onto the blacklist. When this happens, site visitors will see the "red screen of death" along with a warning that it's dangerous to visit the site.
Immich, along with self-hoster's of Immich, had their domains blacklisted via false positives several months ago. My primary, 25 year old, family domain that I rely on for my digital life was one of them, so I've experienced it first hand. Some things that I observed while dealing with it:
- Most browser vendors use the blacklist; likely Chrome, Edge, Firefox, and Safari from what I observed, so basically all of them.
- A false positive on a single subdomain can get your entire domain flagged. This happened to mine.
- There is no governing authority or oversight and it's a proverbial "death sentence" blacklist managed by a private company; Google.
- You must sign up for Google Search Console to attempt to resolve the issue.
- You must add your domain to the Google Search Console, and verify it, before you can see the URLs Google incorrectly put on the blacklist and before you can request an appeal.
- Google incorrectly adds your domain to the Google Safe Browsing blacklist.
- Registries appear to be using Google's blacklist as an authoritative source of DNS abuse.
- Registries place blacklisted domains on serverHold.
- The serverHold status causes DNS deactivation.
- A lack of DNS makes it impossible to verify the domain in the Google Search Console, so you can't appeal Google's blacklisting.
This leaves registrants in an impossible situation where the registry wants them to appeal the blacklisting by Google before DNS will be reinstated, but Google won't accept an appeal without domain verification that relies on working DNS.
In my opinion, the domain industry has two failures here:
- ICANN is failing to provide abuse handling systems that work for registrants. Obligations are bifurcated between registrars and registries and every organization involved has a different set of policies. It's extremely difficult to for registrants to determine what the abuse handling rules are for their domain and, as this example demonstrates, there's a reliance on automated tooling that's prone to failure.
- It appears RADIX hasn't worked through their abuse handling policies from the perspective of a registrant. If RADIX is going to blindly trust Google's blacklist, someone from RADIX should explain how they expect registrants to recover from false positives like the one in this example. Their correspondence with the blog poster shows a lack of understanding of the procedure they're recommending because they're asking for something that may be impossible given the circumstances.
- ICANN could consolidate and manage abuse handling. Registrants need a single set of rules and the current system makes most of the new TLDs untouchable IMO.
- ICANN could require first party investigation of abuse handling claims prior to allowing domains to be placed into clientHold or serverHold status.
- ICANN could require registries to provide a working, viable appeals process for suspended domains.
Obliterating a domain with serverHold and having a circular dependency that makes it impossible for the registrant to recover is a quite a bit of collateral damage IMO.
Last edited:
