Freenom gives away domains, many of which are used by phishers and other bad actors. Meta is suing them for not being responsive to their complaints about this. And I guess the injury inflicted on their users by phishers.
Wait, is it actually Feeenom’s fault? Isn’t it from whatever the server the malicious actions comes from?
For example I use one of their domains along with a Digital Ocean droplet, and I used it briefly to increase my seeding ratio by portforwarding my Qbittorrent port, after several months I got a letter from DO (which is amusing because my country couldn’t care less about torrenting lol) which I think is correct, I don’t think this is Feeenom’s fault.
I’m assuming they’ve run afoul of something similar to the DMCA safe harbor provisions. Basically under the DMCA a hosting provider isn’t responsible for violations due to user submitted content as long as they’re responsive to notifications and remove the content quickly when notified.
Now that applies to copyright not domain names, but I’m assuming there’s some kind of similar law at play. Meta has said that Freenom has been ignoring complaints about domains registered with them that are being used for phishing attacks. It could also be a DMCA issue because I think it does have some anti-domainsquating provisions in it that prevent you from E.G. registering say cocacola.ml as you aren’t the holder of that trademark.
In theory depending on where Freenom is run out of they might be able to just ignore the lawsuit, but it’s probable that doing so will get them blocked by various ISPs and organizations.
Registrars not only have rights, but also responsibilities. They physically own the domain names and bear responsibility to ensure their domain names follow international rules.
FYI I have made a tool that can backup / copy your account settings, subscriptions, and blocks to a new account: github.com/CMahaff/lasim
There are others out there as well if you look.
Obviously the loss of .ml communities would still be catastrophic to Lemmy, but at least your new account won’t start from ground-zero, and you can be less effected by downtime by having 2 accounts with the same subscriptions.
Yeah this sucks for my small but growing community. Ive created an alternative instance elsewhere (on .world) but hopefully .ml doesnt go down forever.
I think that’s different because the .ml domain apparently was being given away for free by a registrar that wasn’t responding to abuse complaints, and thus was being heavily abused.
…but if not, then holy shit what a mistake it was to register [email protected] as my primary email address.
This brings a disturbing thought to mind… if an instance domain name like foo.bar lapses and someone else snaps the domain up (or of it gets stolen) can the new controller plop Lemmy on a server and be instantly federated? If so what kind of damage could they do?
This is why you don’t let your domain registration lapse. It’s not the only way computers on the internet verify each other’s identity, but a hell of a lot of internet security features are based around domain names, so keeping yours functioning is a very big deal.
Domain registration ≠ internet security. Root of trust is in cryptographic keys, not domains. DNS is not the security cornerstone you make it out to be. PKI says hi!
Yes, but it is very quick and cheap to get a domain validated cert from a CA that is generally trusted by most web browsers, so once the bad actor has the domain, the should be able to trick most users, only maybe certificate pinning might help, but that is not widely used.
Consider how many system relies on being able to send you an email for verifying your login and performing password reset. Those who have control over your email address domain can trigger password reset for most of online services out there. Imagine if Google forgot to renew gmail.com and it falls to a wrong hands.
Email is tied to domains. TLS is tied to domains. CORS is tied to domains. OAuth is tied to domains. Those are just four things I can think of while half asleep. Here’s one recent example of how screwing up a domain name is enough by itself to cause a security breach.
Cryptography is not security any more than domain names are; both are facets of how security is implemented but there’s no one system that makes the Internet secure.
ICANN has an Expired Registration Recovery Policy (ERRP) that requires your registrar to give your domain a 30-day grace period before deleting the records. ERRP also requires them to shutdown your DNS resolutions 8 days before deletion.
You’d have to be really mismanaging your domain if you miss all the required email reminders and don’t notice your domain has been non functional for a couple of days.
I was using .ml domains for my selfhosted services, since it was just an hobby and I didn’t wanted to invest money on it. Apart from Freenom website being pretty unusable since I have memory, I’ve already had troubles renewing them last year and now they stopped working without any notice nor update from Freenom itself. Finally I decided to move to a payed domain from Infomaniak, since it’s been more than a year I’ve been selfhosting and $10/year is a fair price for me.
But still without those free domains I wouldn’t probably ever started selfhosting, and I guess a lot of other people like me wouldn’t have experimented or spin up their projects if they had to pay for a domain from the beginning. So despite my hate for Freenom I guess I have to thank them and hope someone else (maybe a bit more “professional”) will take its place in the future
The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.
Umm… Can we talk about how a private company is suing another private company over something that should be in the interest of the government/general public? Where are our agencies, where is Interpol/Europol or ENISA?
A week ago I literally read articles about how .ml was switching to the (Russian-influenced) Mali government in a week, and did not even think about how lemmy.ml would be affected
Add comment