Latest news of the domain name industry

Recent Posts

GoDaddy ordered to stop lying about crappy security

Kevin Murphy, January 16, 2025, Domain Registrars

GoDaddy has agreed to roll out some pretty basic security measures and has been told to stop lying about how secure its hosting is, under an agreement with US regulators.

It turns out that the company, while claiming that security “was at the core of everything we do”, was failing to do some pretty basic stuff like installing software patches, retiring end-of-life servers, or securing internet-facing APIs.

Its settlement with the Federal Trade Commission finds that GoDaddy engaged in “false or misleading” advertising and orders that it “must not misrepresent in any manner” its security profile in future.

The FTC complaint (pdf), filed in 2023 after reports of mass hacking incidents, states:

Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.

The complaint says that GoDaddy had a slack patching regime that was left up to individual product teams to execute, with no centralized management.

This meant thousands of boxes in its Shared Hosting environment were subject to critical vulnerabilities that allowed bad guys to get in and steal data such as user credentials and credit card info for months.

The complaint also describes a custom internet-facing API designed to enable customer support staff to access details about managed WordPress users, such as login credentials.

This API was apparently open to the internet, unfirewalled, used plaintext for credentials, and had no multi-factor authentication in place, again enabling hackers to steal data.

One or more “threat actors” abused this lax security to pwn tens of thousands of servers between October 2019 and December 2022, according to the complaint.

The settlement (pdf), in which GoDaddy does not admit or deny any wrongdoing, does not come with an associated fine.

Instead, GoDaddy has agreed to a fairly extensive list of requirements designed to increase the security of its hosting services.

Antisemitic remarks cost registrar dearly

Kevin Murphy, December 9, 2024, Domain Registrars

A domain registrar based in Jordan appears to have lost about a third of its gTLD domains under management after ICANN slammed it for its founder’s televised antisemitic comments.

Talal Abu Ghazaleh Intellectual Property, which goes by the name AGIP, saw a huge decline in DUM in February, a month after ICANN’s then-CEO described Talal Abu-Ghazaleh’s remarks on Jordanian TV as “beyond offensive or objectionable”.

Abu-Ghazaleh had deployed some pretty clear-cut antisemitic tropes and seemed to try to justify the Holocaust in a news interview related to the war in Gaza, causing outrage from at least one Jewish ICANN community member.

After Costerton’s published chastisement, AGIP’s DUM fell from 1,371 to 930 over the space of a month. It was the first substantial decline on record, with its DUM having been on a fairly steady but slow upward trajectory.

In August, the last month for which we have records, its gTLD DUM had gone down to 695, about half its peak.

AGIP is a boutique intellectual property management registrar, likely with higher margins than your typical domain retailer. A decline of a few hundred domains could represent the loss of just a few customers.

The registrar still has its ICANN accreditation. It’s also still contracted with ICANN to run an instance of the L-root DNS root server in Amman, despite a call for it to lose that deal.

But, as Domain Name Wire noted on Friday, it’s no longer listed as providing UDRP services for ICANN. This change seems to have occurred in mid-September, judging by Archive.org records.

ICANN says it WILL raise its domain taxes soon

Kevin Murphy, October 28, 2024, Domain Registrars

Prices in all gTLDs will go up after ICANN told registries and registrars last week that it plans to increase the fees it charges them, sometimes called its “tax”, next year.

The extra fee ICANN takes from registrars for each new domain registration and renewal will increase from $0.18 to $0.20, according to an email sent from ICANN VP Russ Weinstein to registrars Thursday evening.

This fee is typically passed on explicitly and directly to registrants in their registrar’s shopping cart.

Less-visible charges on registries will also go up. The fixed quarterly fee will go from $6,250 per quarter ($25,000 per year) to $6,450 per quarter ($25,800 per year) and the per-transaction fee will go up from $0.25 per year to $0.258 per year.

The registry fee changes will take effect January 1, but the registrar fee changes will not take effect until July 1, 2025, the start of ICANN’s next fiscal year, according to ICANN.

“After more than a decade of no changes to registry-level and registrar-level fees, ICANN would like to increase the fees it charges to both parties,” Weinstein wrote.

The two cents tax increase is big in percentage terms — about 11% — while the registry fee is more in line with US inflation at 3.20%.

The fixed registrar accreditation fee is to stay the same at $4,000 per year, while the variable accreditation fee, which is divided between registrars based on their transaction volume, is going up from a total of $3.42 million to $3.8 million per year.

The increases come as ICANN struggles to fill a $10 million hole in its budget — a situation that has already led to layoffs — and some back-of-the-envelope calculations suggest the combined fee increases are designed to raise annual revenue in that ball-park.

Due to the differences between the standard Registry Agreement and Registrar Accreditation Agreement, ICANN can push through the registry fee increases fairly quickly and unilaterally, while the registrar changes have some red tape.

The two-cent tax increase will be part of ICANN’s usual budget process, which includes a public comment period and consideration by the board of directors, while the variable fee increase will be subject to a registrar vote.

Note: an early, unfinished draft of this post was inadvertently published on Friday, for which I can only apologize.

Senator says domain industry “enables” Russian disinfo attacks

Kevin Murphy, October 24, 2024, Domain Registrars

An influential US senator has accused major registries and registrars including GoDaddy and Namecheap of facilitating Russian disinformation campaigns.

Senator Mark Warner, the Democrat chair of the Senate Select Committee on Intelligence, told registrars that “legislative remedies” may be required unless they “take immediate steps to address the continued abuse of your services for foreign covert influence”.

The threat came in letters sent to registrar groups Namecheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo, and .com registry Verisign today.

Warner’s letters seem to have been inspired by Facebook owner Meta, perhaps the domain industry’s most prolific antagonist, and align closely with Meta’s views on issues such as cybersquatting and Whois access.

The criticisms also stem from a recent FBI seizure of 32 domains that were being use to proliferate fake news about the invasion of Ukraine and the upcoming US presidential election.

The Russian campaign, known as Doppelganger, used domains such as fox-news.in and washingtonpost.pm to trick visitor into thinking they were reading news sources they trust.

Warner tells the registrars (pdf) they have “ostensibly facilitated sustained covert influence activity by the Russian Federation and influence networks operating on its behalf”.

The main concern appears to be the lack of access to private information in Whois records. Warner’s list of industry sins includes:

withholding vital domain name registration information from good-faith researchers and digital forensic investigators, ignoring inaccurate registration information submitted by registrants, and failing to identify repeated instances of intentional and malicious domain name squatting used to impersonate legitimate organizations

Warner called for “immediate” action “to address the continued abuse of your services” as the US presidential election looms, and in its aftermath. Voters go to the polls November 5.

ICANN gunning for Tencent over abuse claims

Kevin Murphy, September 23, 2024, Domain Registrars

ICANN Compliance is taking on one of the world’s largest technology companies over claims that a registrar it owns turns a blind eye to DNS abuse and phishing.

The Org has published a breach of contract notice against a Singapore registrar called Aceville Pte Ltd, which does business as DNSPod and is owned by and shares its headquarters with $86-billion-a-year Chinese tech conglomerate Tencent.

ICANN says that DNSPod essentially has turned a blind eye to recent abuse reports, allowing phishing sites to stay online long after they were reported, and makes life difficult for people trying to report abuse.

It also has failed to upgrade from the Whois protocol to RDAP and failed to migrate its registration data escrow service provider from NCC to DENIC, according to the notice.

According to ICANN, DNSPod received abuse reports about several domains in July and August but failed to take action at all or until ICANN itself got in touch to investigate. Compliance wants to know why.

ICANN adds that the registrar seems to be requiring reporters to create user accounts and use a web form to submit their reports, even after they’ve already used the abuse@ email address.

Stricter rules on DNS abuse came into force on registrars this April. They’re now required to take action on abuse reports.

“Aceville does not appear to have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse,” the notice reads.

ICANN has given DNSPod until October 11 to answer its questions or risk escalation.

While DNSPod says it has been around for 17 years, it only received its ICANN accreditation in 2020. Since then, it’s grown to almost 200,000 domains under management in gTLDs.

It’s primarily a DNS resolution service provider, saying it hosts over 20 million domains, and does not appear to operate as a retail registrar in the usual sense.

Owner Tencent may not be a household name in the Anglophone world, but it’s the company behind some of China’s leading social media brands, including QQ and WeChat, as well as a formidable force in gaming and one of the world’s richest companies in any sector.

It’s the second huge Chinese tech firm to find itself publicly shamed by ICANN in recent months. Compliance went after Tencent’s primary competitor, Alibaba, on similar grounds in March. Alibaba has since resolved the complaints.

Squarespace gets sweetened $7.2 billion takeover offer

Kevin Murphy, September 10, 2024, Domain Registrars

Squarespace looks set to be acquired by private equity firm Permira in a sweetened cash deal valuing the registrar at about $7.2 billion.

The new $46.50 per share offer is an improvement over Permira’s initial May offer of $44 and represents a 36.4% premium over Squarespace’s share price the day before the takeover way announced.

Squarespace said the deal, which values the company at about $300 million more than the May offer, has been approved by an independent committee of its board of directors and is Permira’s “best and final” offer.

Squarespace has about 10 million gTLD domains under management across two ICANN accreditations, one of which is the old Google Domains, but is perhaps best known for its web site building services.

The company has previously said that going private will help it compete better in the small business online presence market, where it sees its competition as the likes of GoDaddy and Wix.

Chinese registrars back in trouble after porn UDRP suspension

Kevin Murphy, September 5, 2024, Domain Registrars

A collection of six registrars in the XZ.com stable are back on the ICANN naughty step, facing more Compliance action just a couple of years after a sister company was suspended over UDRP failures.

ICANN has published breach notices against DotMedia and five other registrars under common ownership, claiming that they are failing to send their registration data to the correct escrow provider.

Since last year, registrars have been obliged to escrow their data to DENIC, which replaced NCC Group as ICANN’s sole provider. Escrow is important as it helps make sure registrants keep their domains if a registrar goes out of business.

The six DotMedia registrars have failed to make this transition despite months of hand-holding from ICANN, according to the breach notices. Compliance has been on their case since at least April.

The registrars are among 20 that appear to be under common management, almost all based in Hong Kong and using xz.com as their primary storefront, and it’s not clear why only six accreditations have been found in breach.

The whole group appears to be on the skids in terms of registration volume. The main accreditation, US-registered MAFF Inc, once had around 600,000 gTLD names under management, but that’s down to around 60,000 in the latest registry reports. The others have a few thousand each, having suffered similar percentage declines.

Another member of the group, ThreadAgent.com, was actually suspended for months in 2022 after it failed to transfer two domains lost in cybersquatting complaints under the UDRP to BMW and Lockheed Martin.

The six registrars have until September 25 to come back in compliance or face further action.

Uzbekistan gets its first ICANN registrar

Kevin Murphy, August 29, 2024, Domain Registrars

A registrar in Uzbekistan has become the first in the country to receive its official ICANN accreditation, according to the latest records.

Tashkent-based Suvan.net, which does business as @host.uz (ahost.uz), currently specializes in the local .uz ccTLD, where it appears to be the leading registrar by some margin.

The company already sells gTLD domains too, albeit as a reseller. It claims to have over 30,000 customers.

Unstoppable gets ICANN accreditation

Kevin Murphy, August 14, 2024, Domain Registrars

Unstoppable Domains has become the second blockchain alt-root naming service to get its ICANN accreditation.

The company said today it intends to carry the “the vast majority of generic top-level domains”. It had already been selling .com names, alongside its suite of blockchain extensions, as a reseller.

It also said it intends to sell ccTLD domains, although ICANN accreditation is of course not required for most of those.

It’s the second purveyor of blockchain names to move into the domain name industry after Freename, which got its accreditation last month.

Unstoppable is also working with several blockchain technology companies to prepare applications for new gTLDs when ICANN opens its next application window in 2026.

Revealed: who’s really running Epik

Scandal-rocked registrar Epik promised to turn over a new leaf when it got acquired last year, and now the guy in charge of the domains business — a familiar face to many– has broken cover and talked to DI about the company’s recent woes and turnaround plans.

That guy is director of domains Christopher Ambler, a thirty-year veteran of the industry, who came out of stealth mode today to talk about how he wants to kill Epik’s reputation as a refuge for far-right hate and regain the trust of its customers.

Ambler is perhaps best-known as the founder and CEO of Image Online Design, the company that offered a .web gTLD in an alt-root in the 1990s. More recently, until 2021 he also spent seven years as principal software architect at GoDaddy.

Ambler says he joined Epik’s new owner, Registered Agents Inc, which specializes in company formation services, in November 2022, with a remit to scratch-build a registrar to offer the company’s clients online presence services.

“The basic story is boring as hell,” Ambler said. “Registered Agents does business formations… the company just decided it made sense to be a registrar. They brought me on a year and a half ago with the idea to just build this thing from scratch.”

About six or seven months into this project, in June 2023, Registered Agents decided it could cut a couple of years of development time by simply acquiring the assets of an existing registrar, Ambler said, and Epik’s were up for grabs.

At the time, Epik was on the ropes, rocked by a financial mismanagement scandal under then-CEO Rob Monster that had led to registries disconnecting it for non-payment and an ICANN probe that put it at risk of losing its accreditation and going out of business.

Registered Agents paid $5 million for the registrar and set about paying off the registries and getting the ICANN accreditation transferred to the new owners, from Monster’s Epik Inc to the new Epik LLC.

Due to the nature of Registered Agents’ business — it sets up companies for people, often anonymously and not always to nice people — theories abounded, notably on the Namepros discussion forum, that the new owner was just a front for Monster.

“I totally get the whole ‘We think this is Rob Monster pulling another shady deal’ thing, and I don’t know this for a fact but if I were ICANN I would have thought that was entirely a possibility,” Ambler said. “But they went over it with a fine toothed comb and a microscope.”

Quite apart from the business mismanagement, Epik came with a tonne of reputational baggage. It had long been known as a safe haven for far-right bullies, with the likes of Gab.com, The Daily Stormer, InfoWars and Kiwi Farms among its customer base.

Ambler, who describes himself as “kind of a hippy”, culturally Jewish with spiritual leanings toward Buddhism, was not comfortable with this legacy.

While the new Epik did not publicly disassociate itself from these customers until early 2024, Ambler said the decision was made much sooner.

“When the deal was signed to buy Epik we knew on that day we were no longer the ‘free speech registrar’, we were not the right-wing registrar,” he said. “That’s what the old Epik did, I personally don’t agree with that.”

He compared the gear-shift to the day he interviewed at GoDaddy over a decade ago and made it clear he wasn’t happy working for the company if it was still running the “sexist” TV ads it was famed for in the noughties, which by then it had discontinued.

“When I was told we’re looking at buying [Epik’s] assets, the first thing I said was ‘Okay, but there is some dumpster fire involved here, we’re not going to keep that, right?’ and everybody said ‘No’,” Ambler said. “Absolutely everybody was completely on-board.”

The company then set about “politely inviting” its more controversial customers to take their business elsewhere and shutting down any customers involved in outright illegality, such as unlicensed pharmacies, publishing child sexual abuse material or hate speech that crossed the line into incitement to violence.

“I wouldn’t say it was a significant portion of the business, but it was certainly non-zero,” Ambler said. Hundreds of customers were “shown the door”, he said.

“One of things that angsts me is when you look at the online talk about Epik a lot of people still to this day think Epik is the right-wing registrar, because there’s so much stuff out there from years and years ago,” he said.

“People think Epik is the refuge of the white supremacists,” he said. “I really want to combat that message.”

Ambler said he also oversaw a security review of Epik’s code, following a major breach in 2021.

“We went nuts on security for the first couple months, just making sure everything was safe,” he said.

Was it?

“It is now,” he said.

Since the takeover, Epik has lost hundreds of thousands of domains as customers, fed up with its earlier antics and/or suspicious of the new owners, transferred to other registrars.

At its peak in August 2022, the company had 808,160 gTLD domains under management. By March 2024, the most recent month for which we have records, that number had dropped to 265,845, a loss of over half a million names.

“I daresay we’ve bottomed out at this point and actually have net positives on a number of metrics, but we kind of expected that,” Ambler said.

“Keep in mind that the peak of Epik was mostly accomplished by Rob Monster selling domains at a huge loss to create more appearance of growth,” he added. “That was his goal. He wanted to show that Epik was growing by leaps and bounds, but the company was taking losses left and right.”

Looking forward, Epik is focusing less on being the “be-all and end-all” to domain investors and more on being a solid “world class” retail registrar and selling to Registered Agents’ million-plus existing customers.

Ambler’s final messages to DI readers?

“First, we’re not the right-wing registrar, so please don’t confuse us with the old Epik,” he said, “Second, I’m terribly sorry it’s more boring than a lot of people seemed to think.”

“I’d love to get out there and tell people we’re the good guys now,” he said.