[HN Gopher] Google Domains blocking all Gitbook URLS: post-mortem
___________________________________________________________________
Google Domains blocking all Gitbook URLS: post-mortem
Author : martypitt
Score : 174 points
Date : 2020-06-04 14:34 UTC (8 hours ago)
(HTM) web link (blog.gitbook.com)
(TXT) w3m dump (blog.gitbook.com)
| robk wrote:
| If you were hosting phishing sites then I'm glad they did this.
| You should have better controls.
| heipei wrote:
| Automatically detecting phishing sites is surprisingly hard to
| do reliably. The only thing you can really do is rely on
| flagging and human verification.
|
| I've seen domains like google5[.]$tld which contained a fake
| Google Login form, up for close to an hour with zero detects in
| VirusTotal and no detection by Google Safe Browsing itself. If
| Google fails at detecting phishing against their own brand,
| what chances do smaller shops realistically have? Here's the
| example I mentioned:
| https://twitter.com/urlscanio/status/1178043405529763841
| acituan wrote:
| According to the postmortem they had removed the site in
| question a week back. Google was acting on a week old data.
|
| Besides, any user-content serving platform will have to deal
| with malicious users. It is not a perfect process, especially
| against bot traffic. Shutting down the whole domain was very
| heavy handed.
| MattGaiser wrote:
| There is spam on Facebook, there is spam on Reddit, there is
| spam on Twitter, there is spam on Hacker News.
|
| Proactive spam control is not a solved problem anywhere.
| Banning a website over it is absurd.
| strooper wrote:
| Just out of curiosity- when Google is infamous for hard-to-reach
| human support, what in the Internet would make anyone interested
| to register their domain with them? Do they provide some sort of
| security or insurance that I am unaware of?
|
| All the popular dedicated domain registrars I have used so far
| have excellent human support. Godaddy, namecheap, namesilo to
| name a few. I don't know if big companies or corporate use
| something more to secure their domain names and DNS, do they?
| coffeefirst wrote:
| Because I bought it 10 years ago, when Google was a very
| different organization, and moving would appear to risk some
| email downtime.
| numpad0 wrote:
| Living in an autocracy is perfectly comfortable up until very
| moment it no longer is
| TeMPOraL wrote:
| > _Just out of curiosity- when Google is infamous for hard-to-
| reach human support, what in the Internet would make anyone
| interested to register their domain with them?_
|
| I think that, despite what frequenting HN may make you think,
| most people using Google's services - even the more complex or
| paid ones - aren't aware of the problems with support.
| drusepth wrote:
| I moved/consolidated from GoDaddy and 101domain to Google
| Domains because of the support I've gotten from Google in the
| past (on Nexus/Pixel devices, Apps, Fiber, Fi, Stadia, etc).
|
| I always assume the people complaining about nonexistent
| support from Google are trying to get support for something
| they aren't paying for. You pay for Domains, and the support
| reflects that. You probably can't get support for getting
| locked out of a consumer Gmail account or help uploading a
| YouTube video.
| machbio wrote:
| The one surprising aspect about google domains - it is not
| integrated into Google cloud.. they are two separate products
| while AWS domain registration is part of aws cloud
| bduerst wrote:
| Unlike Amazon, Google has more domain-related services than
| just Cloud - i.e. Analytics, Sites, Places, etc - which is
| probably why it's still independent.
| thinkmassive wrote:
| "Everything is back to normal! The domains have been unblocked by
| the registrar. We are monitoring everything."
|
| https://twitter.com/GitBookStatus/status/1268565887256330241
| spacephysics wrote:
| After hearing this I'll be transferring away from Google domains.
| Had to use them for the initial .dev sales
| SamyPesse wrote:
| GitBook CTO here:
|
| Our production domains (gitbook.com and gitbook.io) have been
| blocked and locked by our registrar (Google Domains).
|
| None of our infrastructure is impacted, all user content and
| databases are safe; our domains simply blocked by a heavy handed
| policy.
|
| As mentioned on Twitter, we are all hands working with Google to
| fix this issues ASAP. We'll then share an in-depth post-mortem
|
| https://twitter.com/GitBookStatus/status/1268554857411227648
| antoineMoPa wrote:
| This is unrelated, but you are the founder of codebox.io right?
| I always wondered why the service disappeared.
| SamyPesse wrote:
| Yes, we've pivoted a few years ago to GitBook. Codebox was
| not working very well.
| SamyPesse wrote:
| We've just published a postmortem:
| https://blog.gitbook.com/tech/post-mortems/06-20-gitbook-dom...
|
| let us know if you have any questions!
| dang wrote:
| Ok, we'll change the URL from
| https://twitter.com/GitBookStatus/status/1268528465990619137
| to that.
|
| I know it moves the rug under the existing discussion, but
| it's better than having two separate threads.
| umvi wrote:
| Seems like you should also move off of Google Domains, unless
| you have some compelling reason to use them.
| lol768 wrote:
| Seems like it's sorted now? It resolves for me
| $ dig gitbook.com a @8.8.8.8 +short 104.18.9.111
| 104.18.8.111
| SamyPesse wrote:
| Yes, after 6h without getting much responses from Google
| Domains support, we just got a notification that they
| unblocked our domains.
|
| We are working on making sure that everything is correctly
| working.
|
| Workaround that we've setup to allow our users to still
| access the platform through different hostnames will continue
| working.
| om42 wrote:
| gitbook.com is working but gitbook.io is having trouble
| redirecting.
| solarkraft wrote:
| Do you plan to stay with Google considering the experience?
| SamyPesse wrote:
| No we don't, we were already planning on consolidating
| everything on Cloduflare, we are just going to make the
| switch sooner.
|
| We'll share more details in the postmortem.
| politelemon wrote:
| I'd be interested to know what this heavy handed policy
| was, assuming Google Domains gave you that information. I
| hope it wasn't something egregious or frivolous as I've
| seen with other parts of their organisation.
| kyleee wrote:
| Ha, no way google will give any information/explanation
| saagarjha wrote:
| > consolidating everything
|
| Are you sure that's the best strategy?
| votes wrote:
| HN seems to be the last resort to get Google to help :/
| numpad0 wrote:
| You can do the same elsewhere, any sufficiently large or
| deep social networking would work.
| talideon wrote:
| As a former domain registrar, I would get the authcode, unlock
| the domains, and transfer them away as soon as possible. It's
| been a while since I read the RAA
| (https://www.icann.org/resources/pages/approved-with-
| specs-20...), but it's rather extraordinary to put a domain on
| clientHold, which is what I assume they did to you, outside of
| non-payment or some kind of legal dispute.
| catsdanxe wrote:
| If you wanted good customer support you shouldn't have gone
| with Google. There are plenty of other more reputable domain
| regrestrars.
| CameronNemo wrote:
| Do you have examples?
| michaelt wrote:
| According to whois, google.com, amazon.com, github.com,
| microsoft.com, netflix.com, reddit.com, baidu.com,
| youtube.com, twitch.tv and wikipedia.org all use
| MarkMonitor [1]
|
| apple.com, twitter.com and ocado.com use CSC Corporate
| Domains [2]
|
| I have no idea what such services charge, but they're all
| "call for pricing" and none of those companies would blink
| at spending $10k/year on their domains.
|
| Not every well known brand uses such a service, though.
| bbc.com uses tucows, stackoverflow.com uses name.com and
| ycombinator.com uses gandi. facebook.com uses
| RegistrarSafe, a subsidiary of themselves, and almost every
| domain registrar is registered with themselves.
|
| [1] https://markmonitor.com/ [2]
| https://www.cscglobal.com/global/web/csc//micro-domain-
| name-...
| hitpointdrew wrote:
| Google.com doesn't even use Google Domains....that is
| telling right there.
| snazz wrote:
| Google.com was registered long before Google Domains was
| created. Lots of other more modern Google domains---even
| .google ones---are registered with MarkMonitor as well.
| Google Domains doesn't compete with MarkMonitor for large
| businesses with extremely valuable domains.
| andyfleming wrote:
| GoDaddy has great support. It's available via phone and you
| don't need to be on some enterprise plan to get it.
|
| (Disclaimer: I work there)
| hundchenkatze wrote:
| No thanks.
|
| https://en.wikipedia.org/wiki/GoDaddy#Controversies
| Semaphor wrote:
| Wow, I'd use Google before I ever used GoDaddy, I mean
| that's probably the most well-known "Do not use under any
| circumstances" registrar.
| dhagz wrote:
| I'm a fan of Hover, personally.
| kube-system wrote:
| I haven't used them personally, but I've read a ton of rave
| reviews about gandi.net. Namecheap also talks a good talk,
| and Cloudflare has a good reputation.
| nicoburns wrote:
| Namecheap have been solid for me for several years now.
| abc-xyz wrote:
| Namecheap dumping personal info without informing their
| customer (https://news.ycombinator.com/item?id=18063667),
| Namecheap threatening to shut down a site if the customer
| doesn't delete two images posted there within 24 hours
| (https://news.ycombinator.com/item?id=14139288)
| artificial wrote:
| Which registrar is recommended?
| chrisweekly wrote:
| I've been happy with my dedicated providers:
| IWantMyName.com (registrar)and DNSMadeEasy.com (DNS).
| mech422 wrote:
| I like easydns - don't know who they resell thru, but
| it's awesome being able to call and get a real engineer
| on the phone and not a call center.
|
| I've been using them for years, and never had any
| technical issues...
| abc-xyz wrote:
| I personally prefer Gandi, but also use name.com and
| Cloudflare - haven't heard any horror stories about
| either of those 3 registrars.
| gfs wrote:
| Gandi had its own horror story not too long ago too:
| https://news.ycombinator.com/item?id=22001822
|
| I am a fan of NameCheap personally.
| snazz wrote:
| Cloudflare Registrar had some issues at one point but
| they had more to do with a broken system that assumed the
| domain was purchased elsewhere than anything else, if I
| remember correctly. Their support apparently handled that
| case very well.
| beardbound wrote:
| I have used hover for years and quite like them. The
| customer support was awesome when I had an issue with
| getting a .com.au domain setup for a business. Australia
| has some extra requirements for domains that I wasn't
| familiar with. I also like to have my domains separate
| from everything else so if I move hosts/email providers
| it's easy.
| OzzyB wrote:
| Apart from the most obvious examples, I would also consider
| Cloudflare's new registry service.
|
| It's cheap, at-cost, and they support a lot of the new TLDs
| like .io which is also a lot cheaper.
| RcouF1uZ4gsC wrote:
| > It's cheap, at-cost
|
| That to me is a downside since that means that that is
| not a core part of their business. Financially, it makes
| no difference to them if I use their service or not.
|
| I would rather pay a little extra to a company that has
| domain registration as a core part of their business and
| actually makes a profit from me.
|
| And domain names are cheap. Even if you pay twice as much
| as the cheapest service, it still will not make any
| difference in your bottom line.
| OzzyB wrote:
| The counter is it's also risky to use a company that
| _only_ does Domain Registration since it 's a very low
| margin business and thus the risk for them shuttering is
| higher -- or they'll try to make it up with various
| erroneous fees
|
| I know the concern of putting all your eggs in one basket
| is real, but since CF's business is literally to take
| over your domain DNS and slap on some add-on services,
| adding domain registration in-house seems like a good
| fit.
| Semaphor wrote:
| > they support a lot of the new TLDs like .io which is
| also a lot cheaper.
|
| You might want to pick another example, .io is 23 years
| old [0]
|
| [0]: https://en.wikipedia.org/wiki/.io
| 411111111111111 wrote:
| For some reason people keep forgetting that io stands for
| indian ocean and is actually a regional tld like co.uk
| .net .de etc
|
| Same with .ai fwiw.
| skissane wrote:
| .io isn't just "Indian Ocean", it is British Indian Ocean
| Territory. The location of the Diego Garcia military base
| (jointly operated by US and UK). The British expelled its
| indigenous population (the Chagossians) to make way for
| the US military. The territory is claimed by Mauritius,
| and the International Court of Justice in 2019 ruled (in
| a non-binding opinion) that the UKs separation of the
| territory from Mauritius was unlawful.
|
| Some random British company convinced IANA to let it run
| the .io domain for their own profit. Their operation of
| it has nothing to do with the interests of its exiled
| inhabitants (the Chagossians), the British territorial
| and military authorities, or the US military presence
| which constitutes the the territory's raison d'etre.
|
| I think it likely that, one of these days, something is
| going to happen to the .IO ccTLD operators. Their rights
| to it are very dubious, and someone else (the British
| government, the government of Mauritius, the Chagossians)
| could end up wresting it from them.
| zadokshi wrote:
| No one forgot. Everyone knows. No one cares.
| OzzyB wrote:
| Ah yes that's true, I always seem to group .io in with
| the new crowd of TLDs in the sense that it became trendy
| "recently"; and I only mentioned .io domains since
| GitBook uses one, "gitbook.io".
| MattGaiser wrote:
| 99% of people never need customer support, so I doubt most
| people consider it when choosing a service.
| m463 wrote:
| You may be downvoted, but I think it is true. I think they
| consider price and convenience most of all (both of which
| happen to be google's forte)
| Jtsummers wrote:
| That may be true for a given service, but I'd wager closer
| to 99% of people have used customer support for something
| in the past. It'd be foolish to disregard it when you know
| you've needed it before, even if not for that same service
| category.
| MattGaiser wrote:
| I don't think it should be disregarded, just that it is
| not top of mind when making the choice.
| yoran wrote:
| I don't understand why you got downvoted. Google's customer
| support is notoriously non-existent (perhaps except for stuff
| that brings in money like AdWords). They admit themselves
| that it's a business decision:
| https://www.seroundtable.com/google-support-staff-
| limits-139...
| ballenf wrote:
| Because it's about as helpful as saying "you shouldn't have
| moved to Los Santos if you value safety" to someone who's
| bleeding on the street having just been mugged.
|
| The same message could also be worded more like "once you
| get past this, I'm sure you're already considering moving
| registrars. But please let us know if the support you're
| receiving from them is as bad as (my experience /
| reputation / etc.)".
| Operyl wrote:
| Is it related to the countless phishing pages hosted on your
| service? I've noticed an uptick.
| ggm wrote:
| Having just moved 3 personal domains -> into google domains you
| can imagine I find this quite concerning.
|
| I wonder how the domain registry community at large feels about
| this? ICANN exists, domains are subject to a legal agreement with
| ICANN, and it has customer-protection concerns surely?
| Animats wrote:
| The biggest hoster of phishing sites is Google.[1] Here's a list
| of major sites which have live entries in PhishTank.[2] Hosting
| phishing sites on Google Drive is very popular.
|
| Many of those are long gone, but PhishTank hasn't cleaned them
| out, so they're still listed.
|
| [1] http://www.sitetruth.com/reports/phishes.html [2]
| http://www.sitetruth.com/fcgi/ratingdetails.fcgi?details=tru...
| heipei wrote:
| To be fair, every platform which allows user-generated HTML
| pages suffers massively from phishing and most of them don't
| deal with it very well: Google, Microsoft, smaller players like
| Codebox and countless others. Then there's phishing on Dropbox,
| phishing on Google Forms, OneDrive, etc. Then you have phishing
| at all the various hosters like DigitalOcean, CloudFlare, etc.
| Even there you'll sometimes have IPs which have hosting
| phishing pages for various brands for a long time. It's not an
| isolated problem. Some deal with it more aggressively, true,
| but the pace and ease with which phishing can be stood up and
| modified makes it a whac-a-mole. Plus, the expectation is that
| most phishing pages will only be active for a few hours before
| being taken down and/or detected, so phishers pump out new ones
| on a constant basis.
|
| I run the service at https://urlscan.io which tracks phishing
| and frequently run into these cases which render any kind of
| black/whitelisting impossible. Imagine Microsoft phishing
| hosted on Microsoft domains and infrastructure. Here's a fun
| search which will return lots of phishing on windows[.]net and
| googleapis[.]com:
| https://urlscan.io/search/#page.domain%3A(googleapis.com%20O...
| Animats wrote:
| Google tends to be at the top of that list, though. It wasn't
| always. When I first started doing that, MSN was on top,
| usually followed by Yahoo. For a while, Google Sheets were
| being used for phishing. You can put HTML in a spreadsheet
| cell, apparently.
|
| I used to contact nonprofits and small businesses which
| showed up on that list. Inevitably,they'd had a break-in.
| With some nagging, I could cut the size of the list in half.
| dundercoder wrote:
| This mirrors my experience with google support, even as a paying
| gsuite customer. I lost a YouTube channel and wasn't given any
| option to restore it. Their advice was to just re upload all the
| content and forget about view counts and old links that would no
| longer work.
| boromi wrote:
| I'm going through issues with G Suite as an admin. They
| randomly blocked my account falsely accusing me of sending
| spam. I can't even access the help support team sicne I can't
| login to the system.
| fouric wrote:
| This is completely insane - there's absolutely no legitimate
| reason for Google to _lock you out of your account_ , even if
| you _were_ sending spam emails. Disable your ability to send
| new emails, maybe. Lock you out of your email inbox, maybe.
| But completely prevent you from accessing your account, and
| therefore even appealing? Inexcusable.
| koluna wrote:
| Google Domains locked my domains at renewal time and refused to
| renew them until I provided proof of identity in the form of a
| scanned government ID -AND- a scanned copy of the credit card.
|
| Coupled with the horror stories of non-existent support, the
| first thing I did was move my domains out this month.
| CameronNemo wrote:
| To where?
| bhhaskin wrote:
| I use Dynadot and haven't had any issues.
| sbarre wrote:
| Not OP but I've been with Hover for 10+ years and their
| customer service is excellent.
| hahadeservedit wrote:
| I told you guys, don't use Google Cloud or any of their services,
| but GPC users thought they are smarter... keep shooting in your
| own foot.
| coronadisaster wrote:
| A bit off topic but Google blocks me constantly from accessing my
| gmail account... is there anyway to disable the "suspicious
| activity" "protection"?
___________________________________________________________________
(page generated 2020-06-04 23:00 UTC)