Unrelated to the article but seeing .tk brings back many memories. As a kid without a bank account let's alone an international credit card (VISA/Mastercard), dot.tk is the only way to put a website online with your name. I created countless of websites with .tk for classmates, school and families.
Thank god, .tk caused so many headaches for us, truly a cesspit of a tld. The rate of fraud and abuse on our platform was staggeringly high from it, it was close 99%.
It would follow that Cloudflare is tacitly admitting they have been / are hosting a large number of domains used for fraud and abuse. That surprises me, given the time and effort they spend mitigating fraud and abuse. Anyone care to explain what I'm missing?
That surprises me, given the time and effort they spend mitigating fraud and abuse
What time? What mitigations?
Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.
I have personally submitted abuse reports and seen that absolutely nothing happens.
Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.
They've definitely refused to help far right sites and sites like Kiwi Farms.
Yeah, because of the pressure after it all blew up. They even said in their own blog post that it was an "extraordinary" decision and did not believe terminating them was appropriate.
Kiwi Farms used their services for at least 6 years before anything happened.
And all that pressure was for naught because it's still available right on the clearweb :'(
Is it? Currently giving 502 Bad Gateway. Seems like they're having hosting troubles.
Yes, outage right now.
it wasn't.
the amount of abuse I see from people using Cloudflare Warp is also very high.
More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
That's quite surprising, since Cloudflare makes no such promises and markets Warp as a security/performance improvement tool, not an anonymity-providing one. I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
Yes, because it is a free service, an easy and free way to just hide your ip address. You don't even need an account.
I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
Correct, this used to be the case, but no longer is as far as I can tell. But even with that, it was an issue for non-Cloudflare websites and services that are being attacked that aren't HTTP(S) (e.g. SSH)
Ah, I haven't been following it closely. Thank you! Just found a blog post on that architectural change: https://blog.cloudflare.com/geoexit-improving-warp-user-expe...
Are they responsive at all to abuse notifications about their VPN users? Presumably the only thing they could even do is to block an upstream IP address, given that it doesn't require an account.
I was thinking particularly about the DDoS protections they advertise (and explain in lovely technical posts on this site). So you're saying that they protect their network from others, whilst disregarding harms their clients cause to others. That was something I was missing, so I thank you.
Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites. Back when CDNs were all "call for pricing" affairs.
Cloudflare had the insight that the more DDoS-for-hire services there were out there, the greater the demand for their services. Offering free DDoS protection to DDoS-for-hire services helps keep customers coming back for more.
Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites.
I mean, you don't need websites to advertise. Most DDoS-for-hire services back before 2009 advertised on IRC, NNTP, via ads in .NFO files found in warez releases found on Kazaa and BitTorrent, and so forth. (Some of the very tech-headed ones ones had Freenet sites.)
Depends on what you're trying to achieve, I think.
Cloudflare's policy is that if there's ToU-violating content being served through a Cloudflare-proxied domain, you can report it to request de-anonymization of the domain, so that you can then reach out to the actual host.
I've reported Cloudflare-proxied phishing-site clones of my company's website to Cloudflare, and they've usually come back to me with a pointer to the upstream-origin's ASN/ISP to reach out to within a few hours.
If you try to find evidence that Cloudflare mitigates fraud and abuse, you'll mostly find anecdotal evidence (sites that have been attacked and moved to Cloudflare, mostly) plus information and claims provided by Cloudflare, which is unverifiable. The problem is that nobody protects us, the Internet, from Cloudflare.
Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.
If you forward phishing spam to abuse@cloudflare.com, guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.
In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.
If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".
They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.
Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.
For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.
If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.
What are some other viable options?
1) not using DoS / DDoS protection, or using any number of hosting services that have this built in, or using a service that doesn't marginalize large parts of the world in the name of "security". DoS / DDoS attacks are not as common as Cloudflare would want you to believe.
2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.
They don’t only offer DDoS protection, but also a WAF (Web Application Firewall), and if you run commodity software, attacks are very common.
I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.
(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)
Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.
However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.
But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.
Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.
Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.
It seems at least plausible to me that either there would be even more fraud and abuse than there already is without the time and effort to mitigate it, or that maybe their mitigation is not as effective as they'd like. This isn't meant to contradict the other theories being posted here; I don't really have any experience specific to this area, so it's possible I'm just being naive.
Yeah, I find this whole thread a bit odd. Cloudflare has been a highly regarded service for years, and suddenly people are blaming them of running a protection racket, without providing a single source or piece of evidence (or a presumably more ethical alternative, for that matter)?
As they say, extraordinary claims require extraordinary evidence…
Cloudflare's market play has consistently reminded me of Facebook to Google's from the perspective of Googlers I know who moved to Facebook in early 2010s.
Let's do Akamai, but cheaper. Trying to stop everything bad is impossible anyway.
I've heard people bring up that problem before. On one hand they protect sites from DDOS attacks and bad actors, but on the other hand they help keep the bad actors online.
If there's no abuse, nobody will pay their protection money.
sell the problem and the solution, good business
Cloudflare's business model is largely reliant on the internet being filled with abuse.
They don't host the domain. Hosting happens somewhere else.
Which is where the crackdown should happen.
I believe their primary focus is protecting the customers / proxied web servers, not the clients of said site. I suspect if one day the free accounts on CF went away there again we would lose a lot of scam sites assuming they don't accept Monero or similar and like .tk we would also lose some cool sites.
Shouldn't be a surprise, there is a tight relationship between Cloudflare and the booter community. I remember every booter site or similar was always behind Cloudflare, I think it was a common practice because it didn't seem like Cloudflare cared about these abusive sites.
You think that fraud is just going to go away because .tk is gone?
probably not, but very little of value has been lost
I would disagree, I remember as a kid in the late 90s being able to host a website on one of the free hosting providers and then pairing it with a free domain name just made the whole thing that much more special. $10 or so a year for a paid domain name isn't a ton of money, but it can be for a kid with no credit cards and parents that aren't convinced as to why you "need" a domain name.
The problem is that "free for kids" is also "free for scammers" and it's hard to square that circle.
Would be really cool if public schools provided a free domain and basic hosting for any interested middle/high school student.
I don't think that would be a good idea. It would introduce an admin burden on the schools related to moderating/monitoring the sites. And they would more than likely overstep in one way or another, when enforcing their rules.
I was thinking state-administered. Public school enrollment would just be the precondition to access the program.
But sure, yeah, there'd be some admin time spent managing it. As with anything, there are plenty of reasons not to do it. It struck me as a low cost-to-impact ratio thing that could get kids into tech, but reasonable minds could disagree.
The only way it would work is if it was literally handled by the government, and the associated 1st amendment rules applied (so it wouldn't be moderated unless it was actually shut down by a court case).
It would result in rampant wildness and people complaining, but if you didn't do it that way the burden would be too high.
Good luck considering we can't even pay teachers properly.
Cost would be negligible compared to a teacher's salary.
(1 teacher / 20 students) * ($50k / teacher-yr) = $2500 per student per year to fund teacher salary.
Compare that to $40/yr domain+hosting, which maybe 10% of students will use. $4/student-yr will not be the diffence between paying teachers probably or not.
That budget only works if you don't care about content moderation or abuse management at all – or did you expect teachers to just do that on the side?
Another way of looking at this is that scammers can probably afford to spend $5-10 on a TLD since it's just a cost of doing "business" to them, but many kids can't.
I was very happy about free TLDs back in the day as a teenager, since I could just try things out before having to convince my parents to let me use their credit card to register a proper domain name.
It's infinitely easier to spend $0 vs $0.01 if you're trying to be anonymous online. The criminals can certainly afford it but that also almost certainly means interacting with financial systems that leave a paper trail.
I doubt that that's any kind of obstacle to criminals.
At a quick glance, many registrars and hosters seem to accept crypto, and anyone can buy prepaid Visa and Mastercard cards anonymously for cash for the ones that don't.
we're not in the 90s anymore. Many free subdomains options such as gitpages or full on free app (heroku) exists now.
If .tk was such a clear signal for abuse, isn't it a bad thing that signal no longer exists?
I'd rather ICANN finally introduce .free, give a few years to alert everyone, and those developing spam filters can treat it how they want.
If .tk was such a clear signal for abuse, isn't it a bad thing that signal no longer exists?
No, this is (obviously) contrarianism for contrarianisms sake.
It's good when entities facilitating crime stop facilitating it. No debate necessary.
Additionally, it's completely unclear what you mean by your proposal.
Spam and scams will happen no matter what. It will just be spread across the cheapest domain registrations that are still available now. The narrow and self-serving aspect that Facebook investigated, cybersquatting, should not justify killing off legitimate free domain registrations forever, at least in a better world where we more directly tackle these problems.
Nobody cut off "legitimate free domain registrations" forever.
Airquotes aren't sarcastic, just, idk exactly what that combination of words means so I want to leave myself an out.
You are free to hand out domains for free to strangers, if you so desire.
Nobody stopped anyone from anything.
You are free to hand out domains for free to strangers, if you so desire.
Nobody stopped anyone from anything.
This is impossible, as we have just seen with the ICANN termination of Freenom. Turns out, the legal threats will kill it, even if other TLDs also have plenty of cybersquatting going on. There's realistically no way to repeat Freenom's success in giving out free domains without greatly heightened legal expenses now. It's gone, the fun is over.
Likewise, because of this legal pressure they will likely never allow a .free proposal -- which is to assign .free to an organization wishing to provide free domain names and foot the bill themselves, essentially becoming the LetsEncrypt of domain name registrars.
The article claims Freenom shut down of its own free will. Are you reporting otherwise?
Are you reporting otherwise?
Essentially, yes. Freenom lost its registrar accreditation a few months ago, so all domain names will be forced by ICANN to go to another registrar. I'm assuming they saw no path towards getting it back, due to the difficult nature of complying with reporting correct registrant information for free users.
https://domainnamewire.com/2023/11/10/icann-terminates-opent...
They also just finished a $500 million settlement with Meta.
A TLD per se is not a facilitator for crime.
Correct - and either a strawman or nonsequitor.
Someone said "Wow. It's bad they banned cars"
I said "No they didn't. It's good that seedy car dealership, the one that couldn't stop selling armored cars to Al Capone's crew for years, gave up and shut down."
You added "Cars don't kill people. People kill people."
As someone who had also grown to automatically ignore .tk domains, perhaps we've lost a reliable spam signal and honeypot
Interesting, .xyz was by far higher on my list of disreputable spam domains.
I'd be happy with that one shut down too.
The people complaining that Cloudflare hosts these criminals would be the first ones complaining that Cloudflare has too much power when taking down websites it doesn’t like.
You can’t win with these people, I personally think this is the best outcome and shows our systems work (albeit slowly). Sure it took a while, but now there doesn’t have to be a precedent of Cloudflare acting as the internet police more than it has to.
This seems like such a weird problem to me. If they're criminals, just send the cops? If you can't send the cops, then they aren't criminals?
How do you end up in this limbo where you need critical infrastructure to play judge?
Cloudflare shields criminals from cops. They do so because of "free speech" or whatever. There was recently a story about a swatting victim, who tried to get the forum the swatters use to shut down. Cloud flare refused to give the identity of the criminals, the case even went to court and the victim lost and now apparently has to pay court costs.
Our legal system is unfortunately not perfect, which is why it matters what infrastructure providers do.
Do they enable criminals by shielding them from the police? Or do they have policies in place that prevent abuse of their service?
With Cloudflare, I'm pretty sure they lean towards the former.
I'm reasonably sure cloudflare would comply with any subpoenas / warrants sent their way.
Which is a catch-22, because subpoenas / warrants for collection of digital information have to name a specific intended target (a real legal identity under suspicion, not some pseudonym) — and "the real legal identity of the suspect" is exactly the thing that Cloudflare's proxy-shielding prevents you from learning. Courts won't act until they have some specific individual to act toward.
(This is also why, whenever you hear about e.g. police stings on Tor forums, they never mention requesting courts to issue warrants to ISPs for collection of e.g. traffic-analysis-correlation info about locations of servers hosting illegal content. Instead, this de-anonymization step is something they always have to achieve extra-judicially, usually by contracting a private network threat intelligence firm.)
Or you don't hear about the methods they are using for deanonymizing because they would get the cases thrown out of a court. Warrantless wiretapping and the like... And the private firm is just lying for them so law enforcement can do parallel construction.
wait, are you mad cloudflare decided not to be an active participant in a doxxing campaign? Swatting is awful but I'm inclined to side with cloudflare here.
I'm mad that they offer anonymity to criminals. If you offer a service that lets people hide their identity, you ought to perform a bit of due diligence.
Obviously with no context but what I hear
Is the website illegal? Or maybe the police need to deal with spam calls more sensibly. Presumably they can trace where the calls are coming from in real life
The internet is a global system that spans ~all jurisdictions, and most internet criminals live in jurisdictions that don't prosecute internet crimes as long as the bad actors leave citizens of their own country alone.
So they're criminals as far as the US and allies are concerned, but de facto not criminals where they live. If they're going to be locked out of the system, it has to be by the infrastructure, because their government has no interest in stopping them.
I see. Perhaps there should be a legal framework to get the government to demand companies like cloudflare stop serving these international criminals, then. That way it wouldn't depend on a private entity making the judgement.
Do you ever think it's weird that we have gone through web 1.0, web 2.0, semantic web, intertubes clogged with spam bots, web 3.0: crypto edition, and the dawn of AI scraping, and we still haven't figured out these issues?
Which government do you mean when you say "the government"? Any national government? Only the US government? Only governments in which the US is friendly and/or has agreements with?
Would you want authoritarian governments to be able to demand Cloudflare stop serving those they consider criminals that are outside their borders?
International law is messy.
The rule of thumb is governments where Cloudflare has equipment, personel, or banking.
There is a procedure to get a foreign case recognized in the US, too, but it has to be serious, and it's not an easy process.
CloudFlare has equipment in 120+ countries, including China: https://www.cloudflare.com/network/
I again ask: is it desirable for any of those countries to be able to unilaterally force a company to enforce its laws regardless of where the individual in question is?
If the equipment is in country X, it seems reasonable to enforce the rules of country X. Plenty of companies refuse to operate in specific countries, including China, because they don't want to follow rules of that country.
If CloudFlare chooses to do business in China, that's a choice they're making and it comes with consequences.
Maybe they can offer service where customers will only be served from equipment outside of China, maybe that's not something they choose.
For starters, Cloudflare is a USA company so it has to do whatever the USA government tells it. See National Security Letters.
They can easily order it to reveal the origin server of a website, or the sign-up IP address of the account, or to stop providing services to one.
Who you going to send to an online pharmacy hosted say in Egypt?
Why do you need to take down Egyptian pharmacy in the first place?
Because they send controlled substances to the US and falsely label them as "supplements"
I know, because I bought RX stuff from India and it did not get labelled as medication
Someone bought roids from India and didn't get busted by DEA in the process?! The horror!
Are you American? Because that sounds like such an American idea of how the world works.
To answer your question: most malware actors can be traced back to Russia, what exactly do you think "sending the cops" after them will accomplish and if the answer is "nothing", then does that mean you don't think they can be called criminals?
It doesn't need to be physical cops. What I mean is that if crimes are being committed, the legal system should initiate a process that either puts them in jail (which as you say may not be possible) or ends up with cloudflare banning and other internet companies blacklisting them. That way, the burden of judging criminality isn't on random companies but on the appropriate authorities.
Legal systems. And getting the Russian and American legal systems to cooperate is about as hard as getting Russia and America to cooperate.
What criminals are you referring to? The operators of .tk, or their users?
There are tons of shady websites hiding behind cloudflare's services. Some used .tk domains too but just in general, many shady websites are hiding behind Cloudflare and at least I know from personal experience if you contact cloud flare about it, they pretend not to be home.
"We do not host the website" was always there response, while that is perhaps technically true, arguing if they shut down the reverse proxying for that website it would be at least offline, never worked.
Cloudflare is a US company. If they provide hosting (or reverse proxying; I don't think there's a material legal difference) services for anything illegal under US law, shouldn't it be possible to compel them to stop doing that through the legal system?
And if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.
if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.
Agreed. There's one other subset you didn't mention: "Clearly illegal but not yet handled in the court of law". Cloudflare again has a pretty hardline stance that "the courts need to come to us and force us to take it down"
Clearly illegal but not yet handled in the court of law
Isn't that somewhat of an oxymoron? What are some examples of something that is against the law but not handled by the courts of law?
I mean not handled yet. Like say I'm hosting pirated content. Yes it's illegal, but it's not Cloudflare's place to say that.
Right, but if brought up to the courts, they would handle it, since it's illegal. But someone needs to prosecute for that to happen.
So it sounds like the system works as intended, as far as I understand.
I agree. It's not Cloudflare's place to remove something because it might be illegal
Maybe that commentator lives in a country without common law, so precedent doesn't matter, but in a country like the US a law without precedent is considered "untried" and a lot of the details are worked out when the law is first enforced.
If the legislature doesn't like the court's interpretation, they can then amend the law and the process restarts.
So basically, at least in the US, nothing is clearly illegal until it is handled by a court -- so yes I think you're right
Cloudflare again has a pretty hardline stance that "the courts need to come to us and force us to take it down"
"Hardline"? To me it seems like quite reasonable approach as opposed to "we will just take down anything someone on Twitter didn't like".
It's not reasonable. 99% of scams, frauds and harassment will never be subject of legal action, because there just aren't enough prosecutors out there to charge every fraud attempt.
If you require a court ruling before blocking a fraud, it means you will keep hosting 99% of frauds.
If it's clearly illegal, what prevents it from being handled in any court of law? If it's not actually as clear, preemptive/overzealous compliance can lead to all kinds of undesirable (in a liberal democracy) effects.
I also doubt that Cloudflare lets every single analogous issue bubble up to a full court case every single time, but for new/unclear/borderline scenarios, I'm glad that courts don't get to outsource their duty, i.e. determining the legality of actions, to a for-profit organization without public oversight.
A while back there was an interview with someone at Cloudflare and they were asked what about these Al Qaeda sites you guys are in front of, dude just answered "no comment". Seems that at the time they didn't ask many questions at all, like you said cause they don't want to go in to content moderation.
They can. You can also subpoena them for information on an account, there are literally lawyers with blogs talking about how to do this. The people complaining essentially think that they should have the right to take anything they want down with an abuse report.
You can’t win with these people
This is the classic fallacy of assuming that because you see comments of type A and comments of type B on the same forum that means they're the same people. They're usually not.
A more accurate way to phrase this is "you can't win with ... people". Whatever you do will end up ticking off some subset of the population.
There’s a similar problem I encounter from time to time: when I self-identify as “conservative” and express opinion C, many people assume I also hold opinions D, E, and F, because “that’s how all conservatives are”.
There are multitudes in every group.
They are not many multitudes in the US. Good on you, but my experience is that most people stick with one group and regurgitate the party lines. I think this comes mostly from very polarized TV shows.
Likewise, if you disagree with them, they instantly assume that you are with the other group. It is strange.
The two-party system easily evokes the ancient knee-jerk reflexes. The millennia-old "us against them" tends to eschew any nuance and instill the war mentality. Either you are "one of us", and subscribe to the bulk of "our" views, or you are "one of them", and are assumed to subscribe to the bulk of "their" views.
Pretty sad :(
There's one great piece of advice: "Keep your identity small" [1].
(If people ask me about my political affiliations, I usually answer something like "Hamilton for president! Of maybe Jefferson."; this kind of statesmanship is hard to find now though.)
[1]: https://www.paulgraham.com/identity.html (It's short, read it now.)
Does that mean, instead of saying "I am conservative", you instead only answer about specific policies (e.g. whether you use vim or emacs)?
“These people” is presumably a set of people quick to find fault in anything a corporation does, which could be a superset of those two groups. Not sure what kind of fallacy that’s supposed to be.
Your evidence for the non-emptiness of this set of people is the fallacy above
Those people are in the noise and nobody cares what they think once they realize they just criticize for the sake of it.
That doesn’t change that people seem to think the top upvoted comments being contradictory from day to day represents some kind of inconsistency in the views of the commenters on this site.
intersection, not superset
The people complaining that Cloudflare hosts these criminals would be the first ones complaining that Cloudflare has too much power when taking down websites it doesn’t like.
It'd be interesting if you could point to a single example of someone taking both sides. I strongly doubt these are the same people.
If you're asking me to personally identify someone, no I'm not going to do that. However if you want to see some hilarious hypocrisy, go ahead and see who said what when Cloudflare banned 8chan.
There is no contraposition. In both cases, big company simply does something it wants.
This comparison actually highlights that there is no “system”, because some (imaginary) impersonal entity decides that those bad actors are allowed, and those bad actors are not allowed. Some public sensibilities are given as a reason, but no one is actually asking anyone's opinion on anything. Still, there are people who believe that Santa Claus brings presents for free, and that the whole thing is not governed by typical hypocrisy and typical politics behind closed doors. The thing is, you've built a turnpike, you can now bargain with people interested in sharing control over that turnpike.
Well CloudFlare already does exactly that. It already set the precedent you are referring to. That's why it feels odd that they don't shut down literal criminals too. They have no issues with shutting down stuff, but they are famously very lax when it comes to actual criminal stuff. I'm not trying to say that they were wrong or right for engaging in content policing, what I'm saying is that the precedent isn't new.
Not the same people at all.
You can’t win with these people
People who want to live in a just world often get in the way of things. I'm just not sure why you're mad at those who want justice and not those who put profits above all else?
that Cloudflare hosts these criminals
Oh.. it's not that they host them, it's that they go out of their way to protect them, and the profit streams associated with them.
Another prominent .tk domain is for the Tcl programming language (tcl.tk) and I just checked, that is one of the paid .tk domains that are still up.
Why do orgs feel the need to use these whacky TLDs
I’m still of the fence with rust using .rs in important places which is fundamentally in control of the Serbian government. You’re going to have to trust the Serbian government with signing .rs DNSSSEC at minimum and I don’t.
Who do you trust?
Any of the OG TLD's, I wouldn't tie my domain to anything political at all outside of the US.
You already have to implicitly trust the US government when it comes to anything internet-related as all of the critical infrastructure is, whether you like it or not, American, so you might as well set up shop within US control.
Not a bunch of pro Russia mafia
.moe, as it's clearly the classiest and most professional TLD out there
Remnant of a time when the Internet was new and geeks would buy all kind of fun domains with odd TLDs.
"new"? I don't remember seeing many of the "odd TLDs" for sale until the web had been around 10-15 years.
Not the TLDs themselves the creative use of them.
I started on the Internet in the (mid) 90s. Back then, it was already common among security conscious folks. A bit later, end 90s, you could buy a shell account for a couple of USD per month. You could run a BNC on it, or IRC client. It had various IPv4 with reverse DNS, this was called vhost. For example, you could end up with I.pwned.the.whole.eu.org and plays where TLD was part of word. Goatse.cx for example reads 'goatsex', Slashdot.org reads 'slashdotdotorg' or 'httpcolonslashslashslashdotdotorg', the founder of first Dutch consumer ISP Xs4all Rop Gonggrijp had gonggri.jp for ages (guess his email address). There are countless of examples.
Because all .com are already taken and available only after you pay ransom money.
Then use descriptive product names, not cute single words that are being used by 47 other products.
That random world governments, many with judiciaries you can't access, control TLDs is a good reason not to use wacky ones. But DNSSEC isn't really part of that argument. Nobody trusts DNSSEC (the root keys could land on Pastebin and virtually nobody would even need to be paged), and the trust issue is the same before-and-after.
I think .so is an even whackier choice and people are rushing to it. Why notion.com redirects to notion.so is beyond me. Probably couldn't buy it and pay only for a redirect?
In TCL’s case it’s a fun play on Tcl/Tk, which is how it is often referred to when including its famous GUI toolkit.
To be perfectly fair, the list of DNSSEC cock-ups is staggering. .nz ccTLD was taken down, IIRC, for 4 days after a bad KSK rollover just last year. I’ve seen prominent registrars with ‘automated’ DNSSEC fail to upload correct NSEC and RRSIGs. It’s not uncommon to see .gov domains go down because of DNSSEC. You’d think all these entities should get it right, but they don’t. Probably why many major tech domains such as google.com don’t use DNSSEC.
But to your point, using a ‘off-brand’ can really hurt sometimes. `.af` might be a cute marketing tactic, but it’s actually Afghanistan, and the Taliban play by a different rulebook. I believe it was `gay.af` that found that out the hard way. Tons of other stories.
Ah nostalgic for tcl.
The TCL maintainers switched their main URL to tcl-lang.org a while back because Freenom was so unreliable, although they've continued to serve tcl.tk as well with crossed fingers.
I really hope Tokelau chooses a reputable registrar going forward, and .tk becomes usable for serious people.
Uh… if anybody has a legitimate .tk domain, how does one keep it alive?
I used to pay for mine. They were sold through resellers if you wanted to keep it. One advantage of .tk is that they supported emoji domains.
Which resellers?
I bought mine through infomaniak.com.
I'm trying to move a legitimate domain to them but I'm getting this error:
Entity reference not found [Object does not exist]
Oh, that is why I wasn't able to renew some domains I have used for 10+ years. I'm not even able to upgrade to paid domain.
I don't think it will help reducing malware/scams/phishing. But it will hurt students and young people that want to start in en development and aren't able to pay for a domain.
We still have https://nic.eu.org/ and https://freedns.afraid.org/ .
I applied for a domain at nic.eu.org in 2023 and I have never gotten a response
There's a couple more options too: https://free.wdh.gg/#/?id=domains
For students, a few of the GitHub Education Student Pack partners offer free domains for a year.
https://www.name.com/partner/github-students
I get .tk was popular because it was free and you do need a home for your website that’s portable across providers (not like a .netlify.app sub).
But like we learned from .af, any of these TLDs technically meant for a country need to be considered ephemeral. You are sort of borrowing it without explicit (or lasting) permission.
You are sort of borrowing it without explicit (or lasting) permission.
To be fair, this is true of all domains. The broader concern with ccTLDs is this borrowing dynamic layered with whatever geopolitical situation the country is in, how stable the administering authority is with respect to the current regime, or just the political forces at work within the country that may lead to changes or requirements for the ccTLD within the country are registered. There is often a concern of DNS infrastructure and local bandwidth considerations for the data center in which the root nameservers are housed, assuming they are not outsourcing that.
It's not true of gTLDs though. You actually own those domains, and they can't be taken away from you (barring extreme circumstances) so long as you pay the registration fees every year. But domains on ccTLDs can be taken away from you by the government at any time for any reason.
I gotta say i find it extremely hard to believe that one can "own" a domain. This sounds like hand-waving. We don't own software, we barely own computers (to do with what we want), we don't own media.
Is this like "one can own land" but really that's asterisked with Eminent Domain (no pun intended)?
The article presents this as a loss - but cloudflare has a free tier, do we know if these were paid accounts? If cloudflare weren’t going to convert these users then this could be a gain.
If the users were using free domains instead of paying for a domain do you think they'd use paid cloudflare? The cost of a domain is so much lower than the cost of Cloudflare.
I don’t know and that’s why I’m asking. Not paying for a domain is not a reason enough to expect not paying for cloudflare - these are different services. Also note that even not paying for cloudflare is not enough - I asked whether cloudflare intended to convert that segment.
I could at least imagine a scenario along the lines of: penniless college student creates a site at a .tk domain. Later, the student gets a job so he is no longer penniless, and meanwhile, his site actually becomes popular, so he signs up for cloudflare, maybe even registers a .com domain, but keeps the .tk domain alive because that's where most his traffic is coming from.
Not sure how common that is. But I don't think it's a given that all sites hosted on .tk domains are unwilling to pay, especially not if you consider that they must be somewhat popular if they need a CDN.
(The sort of personal homepage that most of us had back in the 90s would never need a CDN because it would get 5 hits per week.)
Is it safe to assume that these were overwhelmingly on Cloudflare's free tier? I don't expect that someone who gets a domain for free is going to pay for hosting; if that's the case I don't see this as a big loss for Cloudflare, or am I missing something?
I would guess the same, that these are not Cloudflare customers but rather domains that happened to be configured on Cloudflare. CF probably just increased their profit margin a little by no longer handling all those free users.
The affected domains represent a big loss for Cloudflare, with .tk, .cf and .gq previously accounting for 23.1% of all domains hosted on its platform – and nearly all of these have now gone.
I'm not sure in what way this is a "loss". I doubt cloudflare is losing money (or revenue) here. Especially if many of these domains are spammy, it seems like this is probably not much of anything for them.
This was my thought while reading this. Overall I think this is a net-win for CloudFlare. I suspect that exactly 0.00% of the 12.6 million domains they just "lost" were paying customers. Considering the people didn't want to pay for a domain, they probably weren't paying for a CDN either.
I'm sure Cloudflare will be able to wipe away their tears of this loss using the extra dollar bills they have from reducing their bandwidth costs.
My friends and I used cjb.net for our anime website
Yeah, I've lost my cannes-ratings.tk around that time without any explanation. Lucky I decided to finally pay for the .org a year before.
Ahhh, the memories :)
Understandable, but a loss all the same. I'll never forget how proud I felt as a kid when I first had a URL I could give to people.
I had a free website on .tk
When it because moderately successful, they didn't renew, and then wanted 50€/year.
I'm sure CloudFlare is just reeling from this "loss" of 12.3 Million unpaid customers.
I hope the CEO doesn't drink too much tequila tonight during the celebrations
Tangentially, Cloudflare REALLY needs to start supporting transferring .moe domains already.
Is there any other connection to Cloudflare? I thought maybe they were using the .cf domain for their own stuff or something. ;)
Same here. .tk was the only one back then that allowed you to have your own domain name without subdomains. My memory is that:
1. freeserver.com/~userna <- This was the first URl you could have, sometimes with something inside another directory (freeserver.com/users/u/~usernam).
2. username.freeserver.com <- This wasn't that bad but it didn't look professional. Tripod used to do this.
3. username.fs.com <-- A service with a short domain that provided free subdomains. This was similar to 2 but shorter. Some of them allowed you to chose the domian part.
4. username.tk <-- Among all the free options, this was the best one by far.
Then we grew up a bit and started paying domains :')
The problem with .tk was that it would inject ads into your content. And the whole TLD was filled with low quality spam and hacks. I never liked it.
$7/yr for a domain was one of the very first internet purchases I made. Then that set me down a path of finding free dynamic DNS services. For a short time my website and Invision forum were only online when I was, but I felt like I'd beaten the advertisers.
I don't remember this. I started using TK domains as a kid in 2017 and you set your own nameserver records and they didn't serve ads.
fucking hell
I know right! I feel so young.
there are people on this site that were born in the previous millennium! :O
oof. We didn't even have the Internet, nevermind Google. Kids these days will never even know what it was like pre ChatGPT. programming and even just computers alone was hard back in the day.
Hard?! You'd generally have one or two medium size books that documented the whole environment including corner cases, very few or no third party libraries, no frameworks, no autoupdates, just programmers living their best lives. If anything ChatGPT is filling the hole created by poorly documented "open source" churn.
from my perspective, I can just ask ChatGPT to give me code to whatever and it gives it to me. way easier than figuring it out for myself. hell, with openinterpreter, I can just tell my computer to fix my python shit for me. sure, there weren't me frameworks every week, so knowing C++ and MFC was a sure thing, but it's so much easier today. python points at the character of the exact line of code that's throwing the error. no more spending hours of your life to find a missing semicolon, unless you try using rust (seriously, the difference between OK() and OK(); is material? I mean I understand it now after the fact but ungh).
you can't grep paper books, at best you can look things up in the index. even without ChatGPT I can ask Google and get stack overflow and just copy and paste without having to think deeply within minutes. if I'm just trying to get something out there, why do it the hard way? there's still need for the hard way (eg, I'm currently fighting Ida pro for a thing), but there's just less of a call for that.
People born after 1990 aren't real.
How do you do, fellow kids?
(reference: https://cdn.vox-cdn.com/thumbor/mO8UICqmeSd97l09w_FgSP1TDPQ=...)
When I used .tk briefly in 98-99 it was using iframes and they injected ads and/or opened pop-ups IIRC.
Not even iframes, by my memory it was regular frames (rip).
One frame at the top with a banner ad and then your site below it.
Yes, you're probably right. It was quite blunt :)
This was in the 90's and 00's.
.tk was the only top level domain you could get without having to give them payment details or personal information.
It was a huge deal at the time for kids, students, and spammers.
They made their money by injecting scripts onto your pages to display banner ads.
I remember there was scripts that remove the ads .tk injected
de.vu was popular in Germany for subdomains, I had a few of those. Also a .tk one later.
In France .fr.st was a popular free option
Yup, and .fr.fm too
de.vu always rubbed me the wrong way because it kinda looked/sounded like DVU, a far-right political party that eventually merged with the neo-nazi NPD (which, fun fact, recently rebranded itself as Die Heimat - Homeland). To be fair, the party didn't have much political relevance for most of its history but it did manage to win seats in some state (Land) parliaments in 1998, 1999, 2003, 2004 and 2007 so it did come up in the news around the time those domains were most popular.
On the other hand, .tk was in my mind mostly associated with German hobbyists and piracy. I think my old StarCraft/CounterStrike clan had a .tk domain at one point.
Never got the DVU connection, my AoE1/2 clan had .de.vu before we got a .de, I also know several other people in my class who had one.
On the other hand .tk is more something I remember in connection with spam and scam :D
Yeah, also .de.tf. I just looked it up and my old site is on the wayback machine. So many memories.
Im trying to remember I think it was 8m.com or something like that? Which also let you have stuff like username.8m.com its probably gone now.
I also miss tripod, not sure if its still around how it used to be. Angelfire comes to mind too.
Those sites are still up, the control panel is at freeservers.com my Site davinder.8m.net is still up after 22 years. I chose .net because it was cooler than .com :)
Hah! Thats awesome, I don’t recall any of the names I used to be honest, its been too many years.
Oh ya. I had my first website on 8m.com still available in the archives!! Best days!
I remember 20m in the UK, which did basic hosting.
Good times.
I remember one around the year 2000 that gave you yourname.com for free but it would host your site in a frameset with a bottom frame serving banner ads. IIRC it was called NameZero, but I don't think it lasted long.
That was definitely NameZero. Their problem was they had no way to control what you ran inside your frame, so everyone ran a well-distributed code snippet that removed the ad frame.
Similar to Angelfire, which only inserted ads into the top of .html files, so you just built your entire site as .txt files and rely on the browsers "be lenient in what you accept" to render it as HTML.
I remember putting up Minecraft servers under .uk.to, also co.cc
My site davinder.8m.net is still up after 22 years. Only 2 years ago I managed to find its password.
Friend of mine had a .tk domain for a while, last one he used was a .aa.am domain for his Minecraft server, lol.
I recall using *.8k.com because that was one of the shortest free *.com options around.
In italy we had 3000.it
https://web.archive.org/web/20010331143129/http://www.kliman...
SPOILER: I didn’t become a webdesigner
But did you become a webmaster?
Yep webhighmaster :D im a software developer now
LOL!
On a good day sure, most days I would settle on me being a house elf, or dozer...
Dobby! :D
"Copyright © by klimato ® All Right Reserved"
Heh. I remember thinking '©' and '®' being cool letters. I put it on every page since it looked pro. I guess you didn't actually register the "brand"?
Naaah i changed dozens of nicknames since then :D
I believe you don't have to do anything to claim copyright, other than make it yourself. One vague legal source I just read says that adding the copyright symbol and notice means you may be entitled to more damages if someone infringes on your copyright though.
I used .co.nr alongside .tk for a while, before moving to .co.cc, and then finally managing a way to buy my domain.
.co.nr was strange because it put your page inside of an iframe and required advertisement of the service.
Yeah, the cloaking was annoying - navigation across pages wouldn’t update the URL.
Ah, co.cc, the tld that was full of php reverse shells!
I definitely had a .co.nr domain before a .tk. I think I also remember (I was likely 13, so its been a while) that they had an "English" test question on the sign up form that read something like "A Britney Spears is a:" and one of the options was "Hamburger".
Looking back this could have been to slow robots down, but I distinctly remember one if the terms being you speak and host English content.
Another service I used a lot was " dominosfree" which had a bunch of .gs domains that looked like CC-tlds. I used .ca.gs a lot.
I think I had co.nr too! I just dont remember if it was like .tk or if it was one of those webhosts.
I remember switching to cjb.net because you could get free wildcard email accounts for your domain.
It's interesting seeing it parallels the problems with .tks today-- I remember using cjb.net to make my own LOVE@AOL websites and phish AOL users telling them that a crush liked their account. Easiest money a 12 year old ever made.
Now that is a name I haven't heard in a long time. I had a Dragon Ball Z website using that domain, feels so long ago.
I remember in the early 90s telling Mom that I built my own website. Mom was like noway that's impossible. I can't remember exactly where it was but it was like zoogatyler1.go.com or something. I think it was owned by Disney? I must have been around 7 or 8 but I remember being so excited. I think it was more of a homepage than anything. I started delving into those .tk sites when I was around 11 or 12 probably.
I launched one on a compuserve domain (I think) around the same time. Built it with FrontPage Express that came for free on a cd with a magazine my dad bought. Day after I launched it I had like 20 emails from random people with questions & comments about the site, crazy. Build it and they will come was def a thing.
Later on in the UK I put a site on a madasafish domain.
Oh man, this brings back memories from high school!
.tk was a blessing for us.
Same here! I remember registering a .tk domain for a school project I was working on at the time, my friends were all so impressed when I showed them it was available as a website they could visit in their browser
I used to host my websites wherever and then having a redirect to it. Two I remember was pagina.de/dr.enima (roughly translates to site of dr.enigma, my nickname back then) and i.am/supermatrix - a website dedicated to the movie the matrix which I love.
I think both of those pages were hosted in geocities and had pretty long urls...
If i recall correctly, i use frames with size 0 on the top and 100% on the bottom, making that annoying banner invisible
same - I remember hosting a small web server from a crappy pc at my parents house and using a .tk to serve the site.
Probably not the smartest thing to do at the time since I may have opened up all ports on the router to get it to work, lol. No https. No security. No moderation. Copy and pasted some html from a site that I thought was cool, search and replaced text to make it my own.
It was kind of like a microblog before twitter, fb, ig, blogspot, tumblr.
I remember flexing on my friends that the google site I had got a proper name with .tk!
i share a similar story but today we don't seem to have any alternatives. it is a shame really but i wonder if there is something else that does not involve freenom today.
In South Africa you could get a za.net domain for free. They stopped new registrations quite some time back as the spam era of the internet was getting started. I still have my domain and use it for all sorts of different things. From email to experiments.
Name server changes are still done through email.
What are kids using these days?
Serious question, Heroku and .tk were such amazing services if you weren't old enough to get a credit card.
Did you also use 000webhost.com with .tk domains like me?
God. I’d forgotten all about .tk until reading this comment. What an amazing time.
My favorite was .uni.cc, I had a couple of those free domains back in the day.