BarterClubJul 21, 2023

Welp that answers a lot of why all .ml are down

https://sh.itjust.works/post/1473025

Welp that answers a lot of why all .ml are down - sh.itjust.works

Show threaddb2
This brings a disturbing thought to mind… if an instance domain name like foo.bar lapses and someone else snaps the domain up (or of it gets stolen) can the new controller plop Lemmy on a server and be instantly federated? If so what kind of damage could they do?
Jul 21, 2023 at 2:21amWeb
Show threadWanderJul 21, 2023
No, the signatures wouldn’t match.
Show threadlolcatnipJul 21, 2023
This is why you don’t let your domain registration lapse. It’s not the only way computers on the internet verify each other’s identity, but a hell of a lot of internet security features are based around domain names, so keeping yours functioning is a very big deal.
Show threadfinnJul 21, 2023
Domain registration ≠ internet security. Root of trust is in cryptographic keys, not domains. DNS is not the security cornerstone you make it out to be. PKI says hi!
Show threadmleJul 21, 2023
Yes, but it is very quick and cheap to get a domain validated cert from a CA that is generally trusted by most web browsers, so once the bad actor has the domain, the should be able to trick most users, only maybe certificate pinning might help, but that is not widely used.
Show threadredcalciumJul 21, 2023
Consider how many system relies on being able to send you an email for verifying your login and performing password reset. Those who have control over your email address domain can trigger password reset for most of online services out there. Imagine if Google forgot to renew gmail.com and it falls to a wrong hands.
Show threadlolcatnipJul 21, 2023

Email is tied to domains. TLS is tied to domains. CORS is tied to domains. OAuth is tied to domains. Those are just four things I can think of while half asleep. Here’s one recent example of how screwing up a domain name is enough by itself to cause a security breach.

Cryptography is not security any more than domain names are; both are facets of how security is implemented but there’s no one system that makes the Internet secure.

Typo leaks millions of US military emails to Mali web operator

Spelling error misdirected sensitive Pentagon messages to company running Mali’s TLD.

Ars Technica
Show threadhemmesJul 21, 2023

ICANN has an Expired Registration Recovery Policy (ERRP) that requires your registrar to give your domain a 30-day grace period before deleting the records. ERRP also requires them to shutdown your DNS resolutions 8 days before deletion.

You’d have to be really mismanaging your domain if you miss all the required email reminders and don’t notice your domain has been non functional for a couple of days.

5 Things every Domain Name Registrant should know about ICANN's Expired Registration Recovery Policy (ERRP) - ICANN

Show threaddb2Jul 21, 2023
I think Microsoft and Google have both done it, but what do they know? 🤣
Show threadhemmesJul 21, 2023
Oh really? Haven’t heard that one, back in the day or something?
Show threadphysicswizardJul 21, 2023
Yeah some dude bought the google.com domain via some glitch a while back. Here’s a story about it.
The guy who bought Google.com from under Google's nose

Google confirms that ex-employee Sanmay Ved bought the Google.com domain for about a minute last fall for $12, and that it paid $12,000 to charity to get it back.

CNNMoney
Show threadhemmesJul 21, 2023
Awesome lol
Show threadcdivJul 21, 2023
Yup. Microsoft let hotmail lapse once. Someone paid for the renewal for them. slashdot.org/…/microsoft-hotmail-domain-reward-ch…
Microsoft Hotmail Domain Reward Check on E*Bay - Slashdot

Big_Joe wrote to us with the continuing story of Michael Chaney. Michael is the guy who paid the re-registration fee for the Hotmail domain name, after Microsoft had failed to over the Christmas holiday. He's auctioning the 500$ "thank you" check off on E*Bay and has pledged to donate the winning b...