[HN Gopher] Google Domains blocking all Gitbook URLS: post-mortem ___________________________________________________________________ Google Domains blocking all Gitbook URLS: post-mortem Author : martypitt Score : 174 points Date : 2020-06-04 14:34 UTC (8 hours ago) (HTM) web link (blog.gitbook.com) (TXT) w3m dump (blog.gitbook.com) | robk wrote: | If you were hosting phishing sites then I'm glad they did this. | You should have better controls. | heipei wrote: | Automatically detecting phishing sites is surprisingly hard to | do reliably. The only thing you can really do is rely on | flagging and human verification. | | I've seen domains like google5[.]$tld which contained a fake | Google Login form, up for close to an hour with zero detects in | VirusTotal and no detection by Google Safe Browsing itself. If | Google fails at detecting phishing against their own brand, | what chances do smaller shops realistically have? Here's the | example I mentioned: | https://twitter.com/urlscanio/status/1178043405529763841 | acituan wrote: | According to the postmortem they had removed the site in | question a week back. Google was acting on a week old data. | | Besides, any user-content serving platform will have to deal | with malicious users. It is not a perfect process, especially | against bot traffic. Shutting down the whole domain was very | heavy handed. | MattGaiser wrote: | There is spam on Facebook, there is spam on Reddit, there is | spam on Twitter, there is spam on Hacker News. | | Proactive spam control is not a solved problem anywhere. | Banning a website over it is absurd. | strooper wrote: | Just out of curiosity- when Google is infamous for hard-to-reach | human support, what in the Internet would make anyone interested | to register their domain with them? Do they provide some sort of | security or insurance that I am unaware of? | | All the popular dedicated domain registrars I have used so far | have excellent human support. Godaddy, namecheap, namesilo to | name a few. I don't know if big companies or corporate use | something more to secure their domain names and DNS, do they? | coffeefirst wrote: | Because I bought it 10 years ago, when Google was a very | different organization, and moving would appear to risk some | email downtime. | numpad0 wrote: | Living in an autocracy is perfectly comfortable up until very | moment it no longer is | TeMPOraL wrote: | > _Just out of curiosity- when Google is infamous for hard-to- | reach human support, what in the Internet would make anyone | interested to register their domain with them?_ | | I think that, despite what frequenting HN may make you think, | most people using Google's services - even the more complex or | paid ones - aren't aware of the problems with support. | drusepth wrote: | I moved/consolidated from GoDaddy and 101domain to Google | Domains because of the support I've gotten from Google in the | past (on Nexus/Pixel devices, Apps, Fiber, Fi, Stadia, etc). | | I always assume the people complaining about nonexistent | support from Google are trying to get support for something | they aren't paying for. You pay for Domains, and the support | reflects that. You probably can't get support for getting | locked out of a consumer Gmail account or help uploading a | YouTube video. | machbio wrote: | The one surprising aspect about google domains - it is not | integrated into Google cloud.. they are two separate products | while AWS domain registration is part of aws cloud | bduerst wrote: | Unlike Amazon, Google has more domain-related services than | just Cloud - i.e. Analytics, Sites, Places, etc - which is | probably why it's still independent. | thinkmassive wrote: | "Everything is back to normal! The domains have been unblocked by | the registrar. We are monitoring everything." | | https://twitter.com/GitBookStatus/status/1268565887256330241 | spacephysics wrote: | After hearing this I'll be transferring away from Google domains. | Had to use them for the initial .dev sales | SamyPesse wrote: | GitBook CTO here: | | Our production domains (gitbook.com and gitbook.io) have been | blocked and locked by our registrar (Google Domains). | | None of our infrastructure is impacted, all user content and | databases are safe; our domains simply blocked by a heavy handed | policy. | | As mentioned on Twitter, we are all hands working with Google to | fix this issues ASAP. We'll then share an in-depth post-mortem | | https://twitter.com/GitBookStatus/status/1268554857411227648 | antoineMoPa wrote: | This is unrelated, but you are the founder of codebox.io right? | I always wondered why the service disappeared. | SamyPesse wrote: | Yes, we've pivoted a few years ago to GitBook. Codebox was | not working very well. | SamyPesse wrote: | We've just published a postmortem: | https://blog.gitbook.com/tech/post-mortems/06-20-gitbook-dom... | | let us know if you have any questions! | dang wrote: | Ok, we'll change the URL from | https://twitter.com/GitBookStatus/status/1268528465990619137 | to that. | | I know it moves the rug under the existing discussion, but | it's better than having two separate threads. | umvi wrote: | Seems like you should also move off of Google Domains, unless | you have some compelling reason to use them. | lol768 wrote: | Seems like it's sorted now? It resolves for me | $ dig gitbook.com a @8.8.8.8 +short 104.18.9.111 | 104.18.8.111 | SamyPesse wrote: | Yes, after 6h without getting much responses from Google | Domains support, we just got a notification that they | unblocked our domains. | | We are working on making sure that everything is correctly | working. | | Workaround that we've setup to allow our users to still | access the platform through different hostnames will continue | working. | om42 wrote: | gitbook.com is working but gitbook.io is having trouble | redirecting. | solarkraft wrote: | Do you plan to stay with Google considering the experience? | SamyPesse wrote: | No we don't, we were already planning on consolidating | everything on Cloduflare, we are just going to make the | switch sooner. | | We'll share more details in the postmortem. | politelemon wrote: | I'd be interested to know what this heavy handed policy | was, assuming Google Domains gave you that information. I | hope it wasn't something egregious or frivolous as I've | seen with other parts of their organisation. | kyleee wrote: | Ha, no way google will give any information/explanation | saagarjha wrote: | > consolidating everything | | Are you sure that's the best strategy? | votes wrote: | HN seems to be the last resort to get Google to help :/ | numpad0 wrote: | You can do the same elsewhere, any sufficiently large or | deep social networking would work. | talideon wrote: | As a former domain registrar, I would get the authcode, unlock | the domains, and transfer them away as soon as possible. It's | been a while since I read the RAA | (https://www.icann.org/resources/pages/approved-with- | specs-20...), but it's rather extraordinary to put a domain on | clientHold, which is what I assume they did to you, outside of | non-payment or some kind of legal dispute. | catsdanxe wrote: | If you wanted good customer support you shouldn't have gone | with Google. There are plenty of other more reputable domain | regrestrars. | CameronNemo wrote: | Do you have examples? | michaelt wrote: | According to whois, google.com, amazon.com, github.com, | microsoft.com, netflix.com, reddit.com, baidu.com, | youtube.com, twitch.tv and wikipedia.org all use | MarkMonitor [1] | | apple.com, twitter.com and ocado.com use CSC Corporate | Domains [2] | | I have no idea what such services charge, but they're all | "call for pricing" and none of those companies would blink | at spending $10k/year on their domains. | | Not every well known brand uses such a service, though. | bbc.com uses tucows, stackoverflow.com uses name.com and | ycombinator.com uses gandi. facebook.com uses | RegistrarSafe, a subsidiary of themselves, and almost every | domain registrar is registered with themselves. | | [1] https://markmonitor.com/ [2] | https://www.cscglobal.com/global/web/csc//micro-domain- | name-... | hitpointdrew wrote: | Google.com doesn't even use Google Domains....that is | telling right there. | snazz wrote: | Google.com was registered long before Google Domains was | created. Lots of other more modern Google domains---even | .google ones---are registered with MarkMonitor as well. | Google Domains doesn't compete with MarkMonitor for large | businesses with extremely valuable domains. | andyfleming wrote: | GoDaddy has great support. It's available via phone and you | don't need to be on some enterprise plan to get it. | | (Disclaimer: I work there) | hundchenkatze wrote: | No thanks. | | https://en.wikipedia.org/wiki/GoDaddy#Controversies | Semaphor wrote: | Wow, I'd use Google before I ever used GoDaddy, I mean | that's probably the most well-known "Do not use under any | circumstances" registrar. | dhagz wrote: | I'm a fan of Hover, personally. | kube-system wrote: | I haven't used them personally, but I've read a ton of rave | reviews about gandi.net. Namecheap also talks a good talk, | and Cloudflare has a good reputation. | nicoburns wrote: | Namecheap have been solid for me for several years now. | abc-xyz wrote: | Namecheap dumping personal info without informing their | customer (https://news.ycombinator.com/item?id=18063667), | Namecheap threatening to shut down a site if the customer | doesn't delete two images posted there within 24 hours | (https://news.ycombinator.com/item?id=14139288) | artificial wrote: | Which registrar is recommended? | chrisweekly wrote: | I've been happy with my dedicated providers: | IWantMyName.com (registrar)and DNSMadeEasy.com (DNS). | mech422 wrote: | I like easydns - don't know who they resell thru, but | it's awesome being able to call and get a real engineer | on the phone and not a call center. | | I've been using them for years, and never had any | technical issues... | abc-xyz wrote: | I personally prefer Gandi, but also use name.com and | Cloudflare - haven't heard any horror stories about | either of those 3 registrars. | gfs wrote: | Gandi had its own horror story not too long ago too: | https://news.ycombinator.com/item?id=22001822 | | I am a fan of NameCheap personally. | snazz wrote: | Cloudflare Registrar had some issues at one point but | they had more to do with a broken system that assumed the | domain was purchased elsewhere than anything else, if I | remember correctly. Their support apparently handled that | case very well. | beardbound wrote: | I have used hover for years and quite like them. The | customer support was awesome when I had an issue with | getting a .com.au domain setup for a business. Australia | has some extra requirements for domains that I wasn't | familiar with. I also like to have my domains separate | from everything else so if I move hosts/email providers | it's easy. | OzzyB wrote: | Apart from the most obvious examples, I would also consider | Cloudflare's new registry service. | | It's cheap, at-cost, and they support a lot of the new TLDs | like .io which is also a lot cheaper. | RcouF1uZ4gsC wrote: | > It's cheap, at-cost | | That to me is a downside since that means that that is | not a core part of their business. Financially, it makes | no difference to them if I use their service or not. | | I would rather pay a little extra to a company that has | domain registration as a core part of their business and | actually makes a profit from me. | | And domain names are cheap. Even if you pay twice as much | as the cheapest service, it still will not make any | difference in your bottom line. | OzzyB wrote: | The counter is it's also risky to use a company that | _only_ does Domain Registration since it 's a very low | margin business and thus the risk for them shuttering is | higher -- or they'll try to make it up with various | erroneous fees | | I know the concern of putting all your eggs in one basket | is real, but since CF's business is literally to take | over your domain DNS and slap on some add-on services, | adding domain registration in-house seems like a good | fit. | Semaphor wrote: | > they support a lot of the new TLDs like .io which is | also a lot cheaper. | | You might want to pick another example, .io is 23 years | old [0] | | [0]: https://en.wikipedia.org/wiki/.io | 411111111111111 wrote: | For some reason people keep forgetting that io stands for | indian ocean and is actually a regional tld like co.uk | .net .de etc | | Same with .ai fwiw. | skissane wrote: | .io isn't just "Indian Ocean", it is British Indian Ocean | Territory. The location of the Diego Garcia military base | (jointly operated by US and UK). The British expelled its | indigenous population (the Chagossians) to make way for | the US military. The territory is claimed by Mauritius, | and the International Court of Justice in 2019 ruled (in | a non-binding opinion) that the UKs separation of the | territory from Mauritius was unlawful. | | Some random British company convinced IANA to let it run | the .io domain for their own profit. Their operation of | it has nothing to do with the interests of its exiled | inhabitants (the Chagossians), the British territorial | and military authorities, or the US military presence | which constitutes the the territory's raison d'etre. | | I think it likely that, one of these days, something is | going to happen to the .IO ccTLD operators. Their rights | to it are very dubious, and someone else (the British | government, the government of Mauritius, the Chagossians) | could end up wresting it from them. | zadokshi wrote: | No one forgot. Everyone knows. No one cares. | OzzyB wrote: | Ah yes that's true, I always seem to group .io in with | the new crowd of TLDs in the sense that it became trendy | "recently"; and I only mentioned .io domains since | GitBook uses one, "gitbook.io". | MattGaiser wrote: | 99% of people never need customer support, so I doubt most | people consider it when choosing a service. | m463 wrote: | You may be downvoted, but I think it is true. I think they | consider price and convenience most of all (both of which | happen to be google's forte) | Jtsummers wrote: | That may be true for a given service, but I'd wager closer | to 99% of people have used customer support for something | in the past. It'd be foolish to disregard it when you know | you've needed it before, even if not for that same service | category. | MattGaiser wrote: | I don't think it should be disregarded, just that it is | not top of mind when making the choice. | yoran wrote: | I don't understand why you got downvoted. Google's customer | support is notoriously non-existent (perhaps except for stuff | that brings in money like AdWords). They admit themselves | that it's a business decision: | https://www.seroundtable.com/google-support-staff- | limits-139... | ballenf wrote: | Because it's about as helpful as saying "you shouldn't have | moved to Los Santos if you value safety" to someone who's | bleeding on the street having just been mugged. | | The same message could also be worded more like "once you | get past this, I'm sure you're already considering moving | registrars. But please let us know if the support you're | receiving from them is as bad as (my experience / | reputation / etc.)". | Operyl wrote: | Is it related to the countless phishing pages hosted on your | service? I've noticed an uptick. | ggm wrote: | Having just moved 3 personal domains -> into google domains you | can imagine I find this quite concerning. | | I wonder how the domain registry community at large feels about | this? ICANN exists, domains are subject to a legal agreement with | ICANN, and it has customer-protection concerns surely? | Animats wrote: | The biggest hoster of phishing sites is Google.[1] Here's a list | of major sites which have live entries in PhishTank.[2] Hosting | phishing sites on Google Drive is very popular. | | Many of those are long gone, but PhishTank hasn't cleaned them | out, so they're still listed. | | [1] http://www.sitetruth.com/reports/phishes.html [2] | http://www.sitetruth.com/fcgi/ratingdetails.fcgi?details=tru... | heipei wrote: | To be fair, every platform which allows user-generated HTML | pages suffers massively from phishing and most of them don't | deal with it very well: Google, Microsoft, smaller players like | Codebox and countless others. Then there's phishing on Dropbox, | phishing on Google Forms, OneDrive, etc. Then you have phishing | at all the various hosters like DigitalOcean, CloudFlare, etc. | Even there you'll sometimes have IPs which have hosting | phishing pages for various brands for a long time. It's not an | isolated problem. Some deal with it more aggressively, true, | but the pace and ease with which phishing can be stood up and | modified makes it a whac-a-mole. Plus, the expectation is that | most phishing pages will only be active for a few hours before | being taken down and/or detected, so phishers pump out new ones | on a constant basis. | | I run the service at https://urlscan.io which tracks phishing | and frequently run into these cases which render any kind of | black/whitelisting impossible. Imagine Microsoft phishing | hosted on Microsoft domains and infrastructure. Here's a fun | search which will return lots of phishing on windows[.]net and | googleapis[.]com: | https://urlscan.io/search/#page.domain%3A(googleapis.com%20O... | Animats wrote: | Google tends to be at the top of that list, though. It wasn't | always. When I first started doing that, MSN was on top, | usually followed by Yahoo. For a while, Google Sheets were | being used for phishing. You can put HTML in a spreadsheet | cell, apparently. | | I used to contact nonprofits and small businesses which | showed up on that list. Inevitably,they'd had a break-in. | With some nagging, I could cut the size of the list in half. | dundercoder wrote: | This mirrors my experience with google support, even as a paying | gsuite customer. I lost a YouTube channel and wasn't given any | option to restore it. Their advice was to just re upload all the | content and forget about view counts and old links that would no | longer work. | boromi wrote: | I'm going through issues with G Suite as an admin. They | randomly blocked my account falsely accusing me of sending | spam. I can't even access the help support team sicne I can't | login to the system. | fouric wrote: | This is completely insane - there's absolutely no legitimate | reason for Google to _lock you out of your account_ , even if | you _were_ sending spam emails. Disable your ability to send | new emails, maybe. Lock you out of your email inbox, maybe. | But completely prevent you from accessing your account, and | therefore even appealing? Inexcusable. | koluna wrote: | Google Domains locked my domains at renewal time and refused to | renew them until I provided proof of identity in the form of a | scanned government ID -AND- a scanned copy of the credit card. | | Coupled with the horror stories of non-existent support, the | first thing I did was move my domains out this month. | CameronNemo wrote: | To where? | bhhaskin wrote: | I use Dynadot and haven't had any issues. | sbarre wrote: | Not OP but I've been with Hover for 10+ years and their | customer service is excellent. | hahadeservedit wrote: | I told you guys, don't use Google Cloud or any of their services, | but GPC users thought they are smarter... keep shooting in your | own foot. | coronadisaster wrote: | A bit off topic but Google blocks me constantly from accessing my | gmail account... is there anyway to disable the "suspicious | activity" "protection"? ___________________________________________________________________ (page generated 2020-06-04 23:00 UTC)