return to table of content

Cloudflare loses 22% of its domains in Freenom .tk shutdown

thangngoc89
64 replies
2d5h

Unrelated to the article but seeing .tk brings back many memories. As a kid without a bank account let's alone an international credit card (VISA/Mastercard), dot.tk is the only way to put a website online with your name. I created countless of websites with .tk for classmates, school and families.

101008
32 replies
2d4h

Same here. .tk was the only one back then that allowed you to have your own domain name without subdomains. My memory is that:

1. freeserver.com/~userna <- This was the first URl you could have, sometimes with something inside another directory (freeserver.com/users/u/~usernam).

2. username.freeserver.com <- This wasn't that bad but it didn't look professional. Tripod used to do this.

3. username.fs.com <-- A service with a short domain that provided free subdomains. This was similar to 2 but shorter. Some of them allowed you to chose the domian part.

4. username.tk <-- Among all the free options, this was the best one by far.

Then we grew up a bit and started paying domains :')

echelon
13 replies
2d3h

The problem with .tk was that it would inject ads into your content. And the whole TLD was filled with low quality spam and hacks. I never liked it.

$7/yr for a domain was one of the very first internet purchases I made. Then that set me down a path of finding free dynamic DNS services. For a short time my website and Invision forum were only online when I was, but I felt like I'd beaten the advertisers.

jesprenj
11 replies
2d1h

I don't remember this. I started using TK domains as a kid in 2017 and you set your own nameserver records and they didn't serve ads.

Unfrozen0688
6 replies
1d22h

kid >2017

fucking hell

umbra07
5 replies
1d21h

I know right! I feel so young.

there are people on this site that were born in the previous millennium! :O

fragmede
2 replies
1d20h

oof. We didn't even have the Internet, nevermind Google. Kids these days will never even know what it was like pre ChatGPT. programming and even just computers alone was hard back in the day.

mindslight
1 replies
1d17h

Hard?! You'd generally have one or two medium size books that documented the whole environment including corner cases, very few or no third party libraries, no frameworks, no autoupdates, just programmers living their best lives. If anything ChatGPT is filling the hole created by poorly documented "open source" churn.

fragmede
0 replies
1d15h

from my perspective, I can just ask ChatGPT to give me code to whatever and it gives it to me. way easier than figuring it out for myself. hell, with openinterpreter, I can just tell my computer to fix my python shit for me. sure, there weren't me frameworks every week, so knowing C++ and MFC was a sure thing, but it's so much easier today. python points at the character of the exact line of code that's throwing the error. no more spending hours of your life to find a missing semicolon, unless you try using rust (seriously, the difference between OK() and OK(); is material? I mean I understand it now after the fact but ungh).

you can't grep paper books, at best you can look things up in the index. even without ChatGPT I can ask Google and get stack overflow and just copy and paste without having to think deeply within minutes. if I'm just trying to get something out there, why do it the hard way? there's still need for the hard way (eg, I'm currently fighting Ida pro for a thing), but there's just less of a call for that.

brnt
0 replies
1d17h

People born after 1990 aren't real.

reidrac
2 replies
2d1h

When I used .tk briefly in 98-99 it was using iframes and they injected ads and/or opened pop-ups IIRC.

jwitthuhn
1 replies
1d18h

Not even iframes, by my memory it was regular frames (rip).

One frame at the top with a banner ad and then your site below it.

reidrac
0 replies
1d1h

Yes, you're probably right. It was quite blunt :)

echelon
0 replies
2d1h

This was in the 90's and 00's.

.tk was the only top level domain you could get without having to give them payment details or personal information.

It was a huge deal at the time for kids, students, and spammers.

They made their money by injecting scripts onto your pages to display banner ads.

thangngoc89
0 replies
2d3h

I remember there was scripts that remove the ads .tk injected

Semaphor
5 replies
2d2h

de.vu was popular in Germany for subdomains, I had a few of those. Also a .tk one later.

tarsinge
1 replies
2d2h

In France .fr.st was a popular free option

Biganon
0 replies
2d1h

Yup, and .fr.fm too

hnbad
1 replies
1d22h

de.vu always rubbed me the wrong way because it kinda looked/sounded like DVU, a far-right political party that eventually merged with the neo-nazi NPD (which, fun fact, recently rebranded itself as Die Heimat - Homeland). To be fair, the party didn't have much political relevance for most of its history but it did manage to win seats in some state (Land) parliaments in 1998, 1999, 2003, 2004 and 2007 so it did come up in the news around the time those domains were most popular.

On the other hand, .tk was in my mind mostly associated with German hobbyists and piracy. I think my old StarCraft/CounterStrike clan had a .tk domain at one point.

Semaphor
0 replies
1d22h

Never got the DVU connection, my AoE1/2 clan had .de.vu before we got a .de, I also know several other people in my class who had one.

On the other hand .tk is more something I remember in connection with spam and scam :D

V__
0 replies
2d2h

Yeah, also .de.tf. I just looked it up and my old site is on the wayback machine. So many memories.

giancarlostoro
4 replies
2d4h

Im trying to remember I think it was 8m.com or something like that? Which also let you have stuff like username.8m.com its probably gone now.

I also miss tripod, not sure if its still around how it used to be. Angelfire comes to mind too.

davchana
1 replies
2d1h

Those sites are still up, the control panel is at freeservers.com my Site davinder.8m.net is still up after 22 years. I chose .net because it was cooler than .com :)

giancarlostoro
0 replies
1d19h

Hah! Thats awesome, I don’t recall any of the names I used to be honest, its been too many years.

moltar
0 replies
2d3h

Oh ya. I had my first website on 8m.com still available in the archives!! Best days!

ljm
0 replies
1d22h

I remember 20m in the UK, which did basic hosting.

Good times.

broast
2 replies
2d3h

I remember one around the year 2000 that gave you yourname.com for free but it would host your site in a frameset with a bottom frame serving banner ads. IIRC it was called NameZero, but I don't think it lasted long.

Kye
1 replies
2d3h

That was definitely NameZero. Their problem was they had no way to control what you ran inside your frame, so everyone ran a well-distributed code snippet that removed the ad frame.

pests
0 replies
1d23h

Similar to Angelfire, which only inserted ads into the top of .html files, so you just built your entire site as .txt files and rely on the browsers "be lenient in what you accept" to render it as HTML.

jonathantf2
0 replies
2d

I remember putting up Minecraft servers under .uk.to, also co.cc

davchana
0 replies
2d1h

My site davinder.8m.net is still up after 22 years. Only 2 years ago I managed to find its password.

Cthulhu_
0 replies
1h0m

Friend of mine had a .tk domain for a while, last one he used was a .aa.am domain for his Minecraft server, lol.

Bluecobra
0 replies
2d1h

I recall using *.8k.com because that was one of the shortest free *.com options around.

UnlockedSecrets
3 replies
2d1h

But did you become a webmaster?

lnxg33k1
2 replies
2d

Yep webhighmaster :D im a software developer now

zer00eyz
1 replies
1d23h

LOL!

On a good day sure, most days I would settle on me being a house elf, or dozer...

lnxg33k1
0 replies
1d22h

Dobby! :D

rightbyte
2 replies
2d1h

"Copyright © by klimato ® All Right Reserved"

Heh. I remember thinking '©' and '®' being cool letters. I put it on every page since it looked pro. I guess you didn't actually register the "brand"?

lnxg33k1
0 replies
2d

Naaah i changed dozens of nicknames since then :D

Cthulhu_
0 replies
59m

I believe you don't have to do anything to claim copyright, other than make it yourself. One vague legal source I just read says that adding the copyright symbol and notice means you may be entitled to more damages if someone infringes on your copyright though.

captn3m0
5 replies
2d4h

I used .co.nr alongside .tk for a while, before moving to .co.cc, and then finally managing a way to buy my domain.

creatonez
1 replies
1d21h

.co.nr was strange because it put your page inside of an iframe and required advertisement of the service.

captn3m0
0 replies
1d11h

Yeah, the cloaking was annoying - navigation across pages wouldn’t update the URL.

tamimio
0 replies
2d3h

Ah, co.cc, the tld that was full of php reverse shells!

jszymborski
0 replies
2d3h

I definitely had a .co.nr domain before a .tk. I think I also remember (I was likely 13, so its been a while) that they had an "English" test question on the sign up form that read something like "A Britney Spears is a:" and one of the options was "Hamburger".

Looking back this could have been to slow robots down, but I distinctly remember one if the terms being you speak and host English content.

Another service I used a lot was " dominosfree" which had a bunch of .gs domains that looked like CC-tlds. I used .ca.gs a lot.

giancarlostoro
0 replies
2d3h

I think I had co.nr too! I just dont remember if it was like .tk or if it was one of those webhosts.

wnevets
2 replies
2d

I remember switching to cjb.net because you could get free wildcard email accounts for your domain.

p3rls
0 replies
2d

It's interesting seeing it parallels the problems with .tks today-- I remember using cjb.net to make my own LOVE@AOL websites and phish AOL users telling them that a crush liked their account. Easiest money a 12 year old ever made.

a1o
0 replies
2d

Now that is a name I haven't heard in a long time. I had a Dragon Ball Z website using that domain, feels so long ago.

xeromal
1 replies
2d2h

I remember in the early 90s telling Mom that I built my own website. Mom was like noway that's impossible. I can't remember exactly where it was but it was like zoogatyler1.go.com or something. I think it was owned by Disney? I must have been around 7 or 8 but I remember being so excited. I think it was more of a homepage than anything. I started delving into those .tk sites when I was around 11 or 12 probably.

stef25
0 replies
1d21h

I launched one on a compuserve domain (I think) around the same time. Built it with FrontPage Express that came for free on a cd with a magazine my dad bought. Day after I launched it I had like 20 emails from random people with questions & comments about the site, crazy. Build it and they will come was def a thing.

Later on in the UK I put a site on a madasafish domain.

syuil
1 replies
2d4h

Oh man, this brings back memories from high school!

.tk was a blessing for us.

DaSHacka
0 replies
1d10h

Same here! I remember registering a .tk domain for a school project I was working on at the time, my friends were all so impressed when I showed them it was available as a website they could visit in their browser

atum47
1 replies
2d2h

I used to host my websites wherever and then having a redirect to it. Two I remember was pagina.de/dr.enima (roughly translates to site of dr.enigma, my nickname back then) and i.am/supermatrix - a website dedicated to the movie the matrix which I love.

I think both of those pages were hosted in geocities and had pretty long urls...

atum47
0 replies
2d2h

If i recall correctly, i use frames with size 0 on the top and 100% on the bottom, making that annoying banner invisible

xyst
0 replies
1d23h

same - I remember hosting a small web server from a crappy pc at my parents house and using a .tk to serve the site.

Probably not the smartest thing to do at the time since I may have opened up all ports on the router to get it to work, lol. No https. No security. No moderation. Copy and pasted some html from a site that I thought was cool, search and replaced text to make it my own.

It was kind of like a microblog before twitter, fb, ig, blogspot, tumblr.

tamimio
0 replies
2d3h

I remember flexing on my friends that the google site I had got a proper name with .tk!

rldjbpin
0 replies
1d3h

i share a similar story but today we don't seem to have any alternatives. it is a shame really but i wonder if there is something else that does not involve freenom today.

mmsimanga
0 replies
1d6h

In South Africa you could get a za.net domain for free. They stopped new registrations quite some time back as the spam era of the internet was getting started. I still have my domain and use it for all sorts of different things. From email to experiments.

Name server changes are still done through email.

miki123211
0 replies
1d16h

What are kids using these days?

Serious question, Heroku and .tk were such amazing services if you weren't old enough to get a credit card.

dpacmittal
0 replies
1d9h

Did you also use 000webhost.com with .tk domains like me?

cqqxo4zV46cp
0 replies
2d3h

God. I’d forgotten all about .tk until reading this comment. What an amazing time.

accrual
0 replies
1d23h

My favorite was .uni.cc, I had a couple of those free domains back in the day.

chomp
56 replies
2d4h

Thank god, .tk caused so many headaches for us, truly a cesspit of a tld. The rate of fraud and abuse on our platform was staggeringly high from it, it was close 99%.

eszed
29 replies
2d4h

It would follow that Cloudflare is tacitly admitting they have been / are hosting a large number of domains used for fraud and abuse. That surprises me, given the time and effort they spend mitigating fraud and abuse. Anyone care to explain what I'm missing?

KomoD
13 replies
2d4h

That surprises me, given the time and effort they spend mitigating fraud and abuse

What time? What mitigations?

Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.

I have personally submitted abuse reports and seen that absolutely nothing happens.

Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.

gadders
5 replies
2d3h

They've definitely refused to help far right sites and sites like Kiwi Farms.

KomoD
4 replies
2d3h

Yeah, because of the pressure after it all blew up. They even said in their own blog post that it was an "extraordinary" decision and did not believe terminating them was appropriate.

Kiwi Farms used their services for at least 6 years before anything happened.

chx
2 replies
2d3h

And all that pressure was for naught because it's still available right on the clearweb :'(

immibis
1 replies
1d23h

Is it? Currently giving 502 Bad Gateway. Seems like they're having hosting troubles.

KomoD
0 replies
1d22h

Yes, outage right now.

Zpalmtree
0 replies
1d17h

it wasn't.

lxgr
2 replies
2d2h

the amount of abuse I see from people using Cloudflare Warp is also very high.

More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?

That's quite surprising, since Cloudflare makes no such promises and markets Warp as a security/performance improvement tool, not an anonymity-providing one. I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.

KomoD
1 replies
2d1h

More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?

Yes, because it is a free service, an easy and free way to just hide your ip address. You don't even need an account.

I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.

Correct, this used to be the case, but no longer is as far as I can tell. But even with that, it was an issue for non-Cloudflare websites and services that are being attacked that aren't HTTP(S) (e.g. SSH)

lxgr
0 replies
1d22h

Ah, I haven't been following it closely. Thank you! Just found a blog post on that architectural change: https://blog.cloudflare.com/geoexit-improving-warp-user-expe...

Are they responsive at all to abuse notifications about their VPN users? Presumably the only thing they could even do is to block an upstream IP address, given that it doesn't require an account.

eszed
2 replies
2d4h

I was thinking particularly about the DDoS protections they advertise (and explain in lovely technical posts on this site). So you're saying that they protect their network from others, whilst disregarding harms their clients cause to others. That was something I was missing, so I thank you.

michaelt
1 replies
2d3h

Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites. Back when CDNs were all "call for pricing" affairs.

Cloudflare had the insight that the more DDoS-for-hire services there were out there, the greater the demand for their services. Offering free DDoS protection to DDoS-for-hire services helps keep customers coming back for more.

derefr
0 replies
1d22h

Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites.

I mean, you don't need websites to advertise. Most DDoS-for-hire services back before 2009 advertised on IRC, NNTP, via ads in .NFO files found in warez releases found on Kazaa and BitTorrent, and so forth. (Some of the very tech-headed ones ones had Freenet sites.)

derefr
0 replies
1d22h

Depends on what you're trying to achieve, I think.

Cloudflare's policy is that if there's ToU-violating content being served through a Cloudflare-proxied domain, you can report it to request de-anonymization of the domain, so that you can then reach out to the actual host.

I've reported Cloudflare-proxied phishing-site clones of my company's website to Cloudflare, and they've usually come back to me with a pointer to the upstream-origin's ASN/ISP to reach out to within a few hours.

johnklos
5 replies
2d1h

If you try to find evidence that Cloudflare mitigates fraud and abuse, you'll mostly find anecdotal evidence (sites that have been attacked and moved to Cloudflare, mostly) plus information and claims provided by Cloudflare, which is unverifiable. The problem is that nobody protects us, the Internet, from Cloudflare.

Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.

If you forward phishing spam to abuse@cloudflare.com, guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.

In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.

If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".

They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.

Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.

For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.

If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.

RyeCombinator
4 replies
2d

What are some other viable options?

johnklos
3 replies
1d20h

1) not using DoS / DDoS protection, or using any number of hosting services that have this built in, or using a service that doesn't marginalize large parts of the world in the name of "security". DoS / DDoS attacks are not as common as Cloudflare would want you to believe.

2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.

Tijdreiziger
2 replies
1d20h

They don’t only offer DDoS protection, but also a WAF (Web Application Firewall), and if you run commodity software, attacks are very common.

I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.

(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)

johnklos
1 replies
1d20h

Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.

However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.

But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.

Tijdreiziger
0 replies
1d19h

WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.

Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.

Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.

Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.

saghm
1 replies
2d

It seems at least plausible to me that either there would be even more fraud and abuse than there already is without the time and effort to mitigate it, or that maybe their mitigation is not as effective as they'd like. This isn't meant to contradict the other theories being posted here; I don't really have any experience specific to this area, so it's possible I'm just being naive.

Tijdreiziger
0 replies
1d20h

Yeah, I find this whole thread a bit odd. Cloudflare has been a highly regarded service for years, and suddenly people are blaming them of running a protection racket, without providing a single source or piece of evidence (or a presumably more ethical alternative, for that matter)?

As they say, extraordinary claims require extraordinary evidence…

refulgentis
0 replies
1d18h

Cloudflare's market play has consistently reminded me of Facebook to Google's from the perspective of Googlers I know who moved to Facebook in early 2010s.

Let's do Akamai, but cheaper. Trying to stop everything bad is impossible anyway.

jlarocco
0 replies
2d

I've heard people bring up that problem before. On one hand they protect sites from DDOS attacks and bad actors, but on the other hand they help keep the bad actors online.

If there's no abuse, nobody will pay their protection money.

beanjuiceII
0 replies
2d3h

sell the problem and the solution, good business

Retr0id
0 replies
2d2h

Cloudflare's business model is largely reliant on the internet being filled with abuse.

NicoJuicy
0 replies
2d1h

They don't host the domain. Hosting happens somewhere else.

Which is where the crackdown should happen.

LinuxBender
0 replies
1d17h

I believe their primary focus is protecting the customers / proxied web servers, not the clients of said site. I suspect if one day the free accounts on CF went away there again we would lose a lot of scam sites assuming they don't accept Monero or similar and like .tk we would also lose some cool sites.

Alifatisk
0 replies
2d4h

Shouldn't be a surprise, there is a tight relationship between Cloudflare and the booter community. I remember every booter site or similar was always behind Cloudflare, I think it was a common practice because it didn't seem like Cloudflare cared about these abusive sites.

jackblemming
14 replies
2d4h

You think that fraud is just going to go away because .tk is gone?

jamespo
13 replies
2d4h

probably not, but very little of value has been lost

dlachausse
12 replies
2d4h

I would disagree, I remember as a kid in the late 90s being able to host a website on one of the free hosting providers and then pairing it with a free domain name just made the whole thing that much more special. $10 or so a year for a paid domain name isn't a ton of money, but it can be for a kid with no credit cards and parents that aren't convinced as to why you "need" a domain name.

bombcar
10 replies
2d4h

The problem is that "free for kids" is also "free for scammers" and it's hard to square that circle.

kdmccormick
6 replies
2d3h

Would be really cool if public schools provided a free domain and basic hosting for any interested middle/high school student.

where-group-by
2 replies
2d3h

I don't think that would be a good idea. It would introduce an admin burden on the schools related to moderating/monitoring the sites. And they would more than likely overstep in one way or another, when enforcing their rules.

kdmccormick
0 replies
2d3h

I was thinking state-administered. Public school enrollment would just be the precondition to access the program.

But sure, yeah, there'd be some admin time spent managing it. As with anything, there are plenty of reasons not to do it. It struck me as a low cost-to-impact ratio thing that could get kids into tech, but reasonable minds could disagree.

bombcar
0 replies
2d2h

The only way it would work is if it was literally handled by the government, and the associated 1st amendment rules applied (so it wouldn't be moderated unless it was actually shut down by a court case).

It would result in rampant wildness and people complaining, but if you didn't do it that way the burden would be too high.

cube00
2 replies
2d3h

Good luck considering we can't even pay teachers properly.

kdmccormick
1 replies
2d3h

Cost would be negligible compared to a teacher's salary.

(1 teacher / 20 students) * ($50k / teacher-yr) = $2500 per student per year to fund teacher salary.

Compare that to $40/yr domain+hosting, which maybe 10% of students will use. $4/student-yr will not be the diffence between paying teachers probably or not.

lxgr
0 replies
2d2h

That budget only works if you don't care about content moderation or abuse management at all – or did you expect teachers to just do that on the side?

lxgr
2 replies
2d2h

Another way of looking at this is that scammers can probably afford to spend $5-10 on a TLD since it's just a cost of doing "business" to them, but many kids can't.

I was very happy about free TLDs back in the day as a teenager, since I could just try things out before having to convince my parents to let me use their credit card to register a proper domain name.

Caligatio
1 replies
2d2h

It's infinitely easier to spend $0 vs $0.01 if you're trying to be anonymous online. The criminals can certainly afford it but that also almost certainly means interacting with financial systems that leave a paper trail.

lxgr
0 replies
2d1h

I doubt that that's any kind of obstacle to criminals.

At a quick glance, many registrars and hosters seem to accept crypto, and anyone can buy prepaid Visa and Mastercard cards anonymously for cash for the ones that don't.

knodi
0 replies
2d3h

we're not in the 90s anymore. Many free subdomains options such as gitpages or full on free app (heroku) exists now.

creatonez
8 replies
1d21h

If .tk was such a clear signal for abuse, isn't it a bad thing that signal no longer exists?

I'd rather ICANN finally introduce .free, give a few years to alert everyone, and those developing spam filters can treat it how they want.

refulgentis
7 replies
1d18h

If .tk was such a clear signal for abuse, isn't it a bad thing that signal no longer exists?

No, this is (obviously) contrarianism for contrarianisms sake.

It's good when entities facilitating crime stop facilitating it. No debate necessary.

Additionally, it's completely unclear what you mean by your proposal.

creatonez
4 replies
1d17h

Spam and scams will happen no matter what. It will just be spread across the cheapest domain registrations that are still available now. The narrow and self-serving aspect that Facebook investigated, cybersquatting, should not justify killing off legitimate free domain registrations forever, at least in a better world where we more directly tackle these problems.

refulgentis
3 replies
1d17h

Nobody cut off "legitimate free domain registrations" forever.

Airquotes aren't sarcastic, just, idk exactly what that combination of words means so I want to leave myself an out.

You are free to hand out domains for free to strangers, if you so desire.

Nobody stopped anyone from anything.

creatonez
2 replies
1d12h

You are free to hand out domains for free to strangers, if you so desire.

Nobody stopped anyone from anything.

This is impossible, as we have just seen with the ICANN termination of Freenom. Turns out, the legal threats will kill it, even if other TLDs also have plenty of cybersquatting going on. There's realistically no way to repeat Freenom's success in giving out free domains without greatly heightened legal expenses now. It's gone, the fun is over.

Likewise, because of this legal pressure they will likely never allow a .free proposal -- which is to assign .free to an organization wishing to provide free domain names and foot the bill themselves, essentially becoming the LetsEncrypt of domain name registrars.

refulgentis
1 replies
1d9h

The article claims Freenom shut down of its own free will. Are you reporting otherwise?

creatonez
0 replies
1d8h

Are you reporting otherwise?

Essentially, yes. Freenom lost its registrar accreditation a few months ago, so all domain names will be forced by ICANN to go to another registrar. I'm assuming they saw no path towards getting it back, due to the difficult nature of complying with reporting correct registrant information for free users.

https://domainnamewire.com/2023/11/10/icann-terminates-opent...

They also just finished a $500 million settlement with Meta.

moralestapia
1 replies
1d17h

A TLD per se is not a facilitator for crime.

refulgentis
0 replies
1d15h

Correct - and either a strawman or nonsequitor.

Someone said "Wow. It's bad they banned cars"

I said "No they didn't. It's good that seedy car dealership, the one that couldn't stop selling armored cars to Al Capone's crew for years, gave up and shut down."

You added "Cars don't kill people. People kill people."

majani
0 replies
1d3h

As someone who had also grown to automatically ignore .tk domains, perhaps we've lost a reliable spam signal and honeypot

TheAdamist
0 replies
1d18h

Interesting, .xyz was by far higher on my list of disreputable spam domains.

I'd be happy with that one shut down too.

overstay8930
52 replies
2d4h

The people complaining that Cloudflare hosts these criminals would be the first ones complaining that Cloudflare has too much power when taking down websites it doesn’t like.

You can’t win with these people, I personally think this is the best outcome and shows our systems work (albeit slowly). Sure it took a while, but now there doesn’t have to be a precedent of Cloudflare acting as the internet police more than it has to.

AlienRobot
21 replies
2d3h

This seems like such a weird problem to me. If they're criminals, just send the cops? If you can't send the cops, then they aren't criminals?

How do you end up in this limbo where you need critical infrastructure to play judge?

newaccount74
6 replies
2d1h

Cloudflare shields criminals from cops. They do so because of "free speech" or whatever. There was recently a story about a swatting victim, who tried to get the forum the swatters use to shut down. Cloud flare refused to give the identity of the criminals, the case even went to court and the victim lost and now apparently has to pay court costs.

Our legal system is unfortunately not perfect, which is why it matters what infrastructure providers do.

Do they enable criminals by shielding them from the police? Or do they have policies in place that prevent abuse of their service?

With Cloudflare, I'm pretty sure they lean towards the former.

ehutch79
2 replies
2d1h

I'm reasonably sure cloudflare would comply with any subpoenas / warrants sent their way.

derefr
1 replies
1d22h

Which is a catch-22, because subpoenas / warrants for collection of digital information have to name a specific intended target (a real legal identity under suspicion, not some pseudonym) — and "the real legal identity of the suspect" is exactly the thing that Cloudflare's proxy-shielding prevents you from learning. Courts won't act until they have some specific individual to act toward.

(This is also why, whenever you hear about e.g. police stings on Tor forums, they never mention requesting courts to issue warrants to ISPs for collection of e.g. traffic-analysis-correlation info about locations of servers hosting illegal content. Instead, this de-anonymization step is something they always have to achieve extra-judicially, usually by contracting a private network threat intelligence firm.)

struant
0 replies
1d18h

Or you don't hear about the methods they are using for deanonymizing because they would get the cases thrown out of a court. Warrantless wiretapping and the like... And the private firm is just lying for them so law enforcement can do parallel construction.

internetter
1 replies
1d22h

wait, are you mad cloudflare decided not to be an active participant in a doxxing campaign? Swatting is awful but I'm inclined to side with cloudflare here.

newaccount74
0 replies
1d20h

I'm mad that they offer anonymity to criminals. If you offer a service that lets people hide their identity, you ought to perform a bit of due diligence.

mcfedr
0 replies
2d

Obviously with no context but what I hear

Is the website illegal? Or maybe the police need to deal with spam calls more sensibly. Presumably they can trace where the calls are coming from in real life

lolinder
6 replies
2d3h

The internet is a global system that spans ~all jurisdictions, and most internet criminals live in jurisdictions that don't prosecute internet crimes as long as the bad actors leave citizens of their own country alone.

So they're criminals as far as the US and allies are concerned, but de facto not criminals where they live. If they're going to be locked out of the system, it has to be by the infrastructure, because their government has no interest in stopping them.

AlienRobot
5 replies
2d2h

I see. Perhaps there should be a legal framework to get the government to demand companies like cloudflare stop serving these international criminals, then. That way it wouldn't depend on a private entity making the judgement.

Do you ever think it's weird that we have gone through web 1.0, web 2.0, semantic web, intertubes clogged with spam bots, web 3.0: crypto edition, and the dawn of AI scraping, and we still haven't figured out these issues?

Caligatio
4 replies
2d2h

Which government do you mean when you say "the government"? Any national government? Only the US government? Only governments in which the US is friendly and/or has agreements with?

Would you want authoritarian governments to be able to demand Cloudflare stop serving those they consider criminals that are outside their borders?

International law is messy.

toast0
2 replies
2d

The rule of thumb is governments where Cloudflare has equipment, personel, or banking.

There is a procedure to get a foreign case recognized in the US, too, but it has to be serious, and it's not an easy process.

Caligatio
1 replies
1d22h

CloudFlare has equipment in 120+ countries, including China: https://www.cloudflare.com/network/

I again ask: is it desirable for any of those countries to be able to unilaterally force a company to enforce its laws regardless of where the individual in question is?

toast0
0 replies
1d21h

If the equipment is in country X, it seems reasonable to enforce the rules of country X. Plenty of companies refuse to operate in specific countries, including China, because they don't want to follow rules of that country.

If CloudFlare chooses to do business in China, that's a choice they're making and it comes with consequences.

Maybe they can offer service where customers will only be served from equipment outside of China, maybe that's not something they choose.

immibis
0 replies
1d23h

For starters, Cloudflare is a USA company so it has to do whatever the USA government tells it. See National Security Letters.

They can easily order it to reveal the origin server of a website, or the sign-up IP address of the account, or to stop providing services to one.

stef25
3 replies
1d21h

Who you going to send to an online pharmacy hosted say in Egypt?

caskstrength
2 replies
1d20h

Why do you need to take down Egyptian pharmacy in the first place?

iopq
1 replies
1d19h

Because they send controlled substances to the US and falsely label them as "supplements"

I know, because I bought RX stuff from India and it did not get labelled as medication

caskstrength
0 replies
1d11h

Someone bought roids from India and didn't get busted by DEA in the process?! The horror!

hnbad
2 replies
1d23h

Are you American? Because that sounds like such an American idea of how the world works.

To answer your question: most malware actors can be traced back to Russia, what exactly do you think "sending the cops" after them will accomplish and if the answer is "nothing", then does that mean you don't think they can be called criminals?

AlienRobot
1 replies
1d22h

It doesn't need to be physical cops. What I mean is that if crimes are being committed, the legal system should initiate a process that either puts them in jail (which as you say may not be possible) or ends up with cloudflare banning and other internet companies blacklisting them. That way, the burden of judging criminality isn't on random companies but on the appropriate authorities.

wlonkly
0 replies
1d14h

Legal systems. And getting the Russian and American legal systems to cooperate is about as hard as getting Russia and America to cooperate.

lxgr
13 replies
2d2h

What criminals are you referring to? The operators of .tk, or their users?

mobilemidget
12 replies
2d2h

There are tons of shady websites hiding behind cloudflare's services. Some used .tk domains too but just in general, many shady websites are hiding behind Cloudflare and at least I know from personal experience if you contact cloud flare about it, they pretend not to be home.

"We do not host the website" was always there response, while that is perhaps technically true, arguing if they shut down the reverse proxying for that website it would be at least offline, never worked.

lxgr
11 replies
2d1h

Cloudflare is a US company. If they provide hosting (or reverse proxying; I don't think there's a material legal difference) services for anything illegal under US law, shouldn't it be possible to compel them to stop doing that through the legal system?

And if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.

internetter
8 replies
1d22h

if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.

Agreed. There's one other subset you didn't mention: "Clearly illegal but not yet handled in the court of law". Cloudflare again has a pretty hardline stance that "the courts need to come to us and force us to take it down"

diggan
4 replies
1d22h

Clearly illegal but not yet handled in the court of law

Isn't that somewhat of an oxymoron? What are some examples of something that is against the law but not handled by the courts of law?

internetter
2 replies
1d17h

I mean not handled yet. Like say I'm hosting pirated content. Yes it's illegal, but it's not Cloudflare's place to say that.

diggan
1 replies
1d7h

Right, but if brought up to the courts, they would handle it, since it's illegal. But someone needs to prosecute for that to happen.

So it sounds like the system works as intended, as far as I understand.

internetter
0 replies
1d3h

I agree. It's not Cloudflare's place to remove something because it might be illegal

dingnuts
0 replies
1d22h

Maybe that commentator lives in a country without common law, so precedent doesn't matter, but in a country like the US a law without precedent is considered "untried" and a lot of the details are worked out when the law is first enforced.

If the legislature doesn't like the court's interpretation, they can then amend the law and the process restarts.

So basically, at least in the US, nothing is clearly illegal until it is handled by a court -- so yes I think you're right

caskstrength
1 replies
1d21h

Cloudflare again has a pretty hardline stance that "the courts need to come to us and force us to take it down"

"Hardline"? To me it seems like quite reasonable approach as opposed to "we will just take down anything someone on Twitter didn't like".

newaccount74
0 replies
1d20h

It's not reasonable. 99% of scams, frauds and harassment will never be subject of legal action, because there just aren't enough prosecutors out there to charge every fraud attempt.

If you require a court ruling before blocking a fraud, it means you will keep hosting 99% of frauds.

lxgr
0 replies
1d22h

If it's clearly illegal, what prevents it from being handled in any court of law? If it's not actually as clear, preemptive/overzealous compliance can lead to all kinds of undesirable (in a liberal democracy) effects.

I also doubt that Cloudflare lets every single analogous issue bubble up to a full court case every single time, but for new/unclear/borderline scenarios, I'm glad that courts don't get to outsource their duty, i.e. determining the legality of actions, to a for-profit organization without public oversight.

stef25
0 replies
1d21h

A while back there was an interview with someone at Cloudflare and they were asked what about these Al Qaeda sites you guys are in front of, dude just answered "no comment". Seems that at the time they didn't ask many questions at all, like you said cause they don't want to go in to content moderation.

costco
0 replies
1d22h

They can. You can also subpoena them for information on an account, there are literally lawyers with blogs talking about how to do this. The people complaining essentially think that they should have the right to take anything they want down with an abuse report.

lolinder
9 replies
2d3h

You can’t win with these people

This is the classic fallacy of assuming that because you see comments of type A and comments of type B on the same forum that means they're the same people. They're usually not.

A more accurate way to phrase this is "you can't win with ... people". Whatever you do will end up ticking off some subset of the population.

philsnow
4 replies
1d16h

There’s a similar problem I encounter from time to time: when I self-identify as “conservative” and express opinion C, many people assume I also hold opinions D, E, and F, because “that’s how all conservatives are”.

There are multitudes in every group.

remram
1 replies
1d4h

They are not many multitudes in the US. Good on you, but my experience is that most people stick with one group and regurgitate the party lines. I think this comes mostly from very polarized TV shows.

Likewise, if you disagree with them, they instantly assume that you are with the other group. It is strange.

nine_k
0 replies
23h51m

The two-party system easily evokes the ancient knee-jerk reflexes. The millennia-old "us against them" tends to eschew any nuance and instill the war mentality. Either you are "one of us", and subscribe to the bulk of "our" views, or you are "one of them", and are assumed to subscribe to the bulk of "their" views.

Pretty sad :(

nine_k
1 replies
23h54m

There's one great piece of advice: "Keep your identity small" [1].

(If people ask me about my political affiliations, I usually answer something like "Hamilton for president! Of maybe Jefferson."; this kind of statesmanship is hard to find now though.)

[1]: https://www.paulgraham.com/identity.html (It's short, read it now.)

Cthulhu_
0 replies
56m

Does that mean, instead of saying "I am conservative", you instead only answer about specific policies (e.g. whether you use vim or emacs)?

mypastself
3 replies
2d2h

“These people” is presumably a set of people quick to find fault in anything a corporation does, which could be a superset of those two groups. Not sure what kind of fallacy that’s supposed to be.

mathgradthrow
0 replies
2d2h

Your evidence for the non-emptiness of this set of people is the fallacy above

kortilla
0 replies
2d2h

Those people are in the noise and nobody cares what they think once they realize they just criticize for the sake of it.

That doesn’t change that people seem to think the top upvoted comments being contradictory from day to day represents some kind of inconsistency in the views of the commenters on this site.

__s
0 replies
2d2h

intersection, not superset

0x0000000
1 replies
2d2h

The people complaining that Cloudflare hosts these criminals would be the first ones complaining that Cloudflare has too much power when taking down websites it doesn’t like.

It'd be interesting if you could point to a single example of someone taking both sides. I strongly doubt these are the same people.

overstay8930
0 replies
1d22h

If you're asking me to personally identify someone, no I'm not going to do that. However if you want to see some hilarious hypocrisy, go ahead and see who said what when Cloudflare banned 8chan.

ogurechny
0 replies
1d18h

There is no contraposition. In both cases, big company simply does something it wants.

This comparison actually highlights that there is no “system”, because some (imaginary) impersonal entity decides that those bad actors are allowed, and those bad actors are not allowed. Some public sensibilities are given as a reason, but no one is actually asking anyone's opinion on anything. Still, there are people who believe that Santa Claus brings presents for free, and that the whole thing is not governed by typical hypocrisy and typical politics behind closed doors. The thing is, you've built a turnpike, you can now bargain with people interested in sharing control over that turnpike.

mardifoufs
0 replies
1d17h

Well CloudFlare already does exactly that. It already set the precedent you are referring to. That's why it feels odd that they don't shut down literal criminals too. They have no issues with shutting down stuff, but they are famously very lax when it comes to actual criminal stuff. I'm not trying to say that they were wrong or right for engaging in content policing, what I'm saying is that the precedent isn't new.

explain
0 replies
2d3h

Not the same people at all.

akira2501
0 replies
1d22h

You can’t win with these people

People who want to live in a just world often get in the way of things. I'm just not sure why you're mad at those who want justice and not those who put profits above all else?

that Cloudflare hosts these criminals

Oh.. it's not that they host them, it's that they go out of their way to protect them, and the profit streams associated with them.

dlachausse
16 replies
2d4h

Another prominent .tk domain is for the Tcl programming language (tcl.tk) and I just checked, that is one of the paid .tk domains that are still up.

overstay8930
13 replies
2d3h

Why do orgs feel the need to use these whacky TLDs

I’m still of the fence with rust using .rs in important places which is fundamentally in control of the Serbian government. You’re going to have to trust the Serbian government with signing .rs DNSSSEC at minimum and I don’t.

yau8edq12i
3 replies
2d1h

Who do you trust?

overstay8930
0 replies
1d22h

Any of the OG TLD's, I wouldn't tie my domain to anything political at all outside of the US.

You already have to implicitly trust the US government when it comes to anything internet-related as all of the critical infrastructure is, whether you like it or not, American, so you might as well set up shop within US control.

mcfedr
0 replies
2d

Not a bunch of pro Russia mafia

DaSHacka
0 replies
1d10h

.moe, as it's clearly the classiest and most professional TLD out there

Fnoord
2 replies
2d3h

Remnant of a time when the Internet was new and geeks would buy all kind of fun domains with odd TLDs.

bdcravens
1 replies
2d

"new"? I don't remember seeing many of the "odd TLDs" for sale until the web had been around 10-15 years.

Fnoord
0 replies
1d22h

Not the TLDs themselves the creative use of them.

I started on the Internet in the (mid) 90s. Back then, it was already common among security conscious folks. A bit later, end 90s, you could buy a shell account for a couple of USD per month. You could run a BNC on it, or IRC client. It had various IPv4 with reverse DNS, this was called vhost. For example, you could end up with I.pwned.the.whole.eu.org and plays where TLD was part of word. Goatse.cx for example reads 'goatsex', Slashdot.org reads 'slashdotdotorg' or 'httpcolonslashslashslashdotdotorg', the founder of first Dutch consumer ISP Xs4all Rop Gonggrijp had gonggri.jp for ages (guess his email address). There are countless of examples.

rvnx
1 replies
2d3h

Because all .com are already taken and available only after you pay ransom money.

bdcravens
0 replies
2d

Then use descriptive product names, not cute single words that are being used by 47 other products.

tptacek
0 replies
1d1h

That random world governments, many with judiciaries you can't access, control TLDs is a good reason not to use wacky ones. But DNSSEC isn't really part of that argument. Nobody trusts DNSSEC (the root keys could land on Pastebin and virtually nobody would even need to be paged), and the trust issue is the same before-and-after.

pmdr
0 replies
1d23h

I think .so is an even whackier choice and people are rushing to it. Why notion.com redirects to notion.so is beyond me. Probably couldn't buy it and pay only for a redirect?

dlachausse
0 replies
2d3h

In TCL’s case it’s a fun play on Tcl/Tk, which is how it is often referred to when including its famous GUI toolkit.

api_or_ipa
0 replies
1d19h

To be perfectly fair, the list of DNSSEC cock-ups is staggering. .nz ccTLD was taken down, IIRC, for 4 days after a bad KSK rollover just last year. I’ve seen prominent registrars with ‘automated’ DNSSEC fail to upload correct NSEC and RRSIGs. It’s not uncommon to see .gov domains go down because of DNSSEC. You’d think all these entities should get it right, but they don’t. Probably why many major tech domains such as google.com don’t use DNSSEC.

But to your point, using a ‘off-brand’ can really hurt sometimes. `.af` might be a cute marketing tactic, but it’s actually Afghanistan, and the Taliban play by a different rulebook. I believe it was `gay.af` that found that out the hard way. Tons of other stories.

smrtinsert
0 replies
2d1h

Ah nostalgic for tcl.

blacksqr
0 replies
2d1h

The TCL maintainers switched their main URL to tcl-lang.org a while back because Freenom was so unreliable, although they've continued to serve tcl.tk as well with crossed fingers.

I really hope Tokelau chooses a reputable registrar going forward, and .tk becomes usable for serious people.

znpy
4 replies
1d22h

Uh… if anybody has a legitimate .tk domain, how does one keep it alive?

qingcharles
3 replies
1d19h

I used to pay for mine. They were sold through resellers if you wanted to keep it. One advantage of .tk is that they supported emoji domains.

znpy
2 replies
1d5h

Which resellers?

qingcharles
1 replies
19h22m

I bought mine through infomaniak.com.

znpy
0 replies
4h39m

I'm trying to move a legitimate domain to them but I'm getting this error:

    Entity reference not found [Object does not exist]
Has something similar happened to you ?

estebarb
4 replies
2d4h

Oh, that is why I wasn't able to renew some domains I have used for 10+ years. I'm not even able to upgrade to paid domain.

I don't think it will help reducing malware/scams/phishing. But it will hurt students and young people that want to start in en development and aren't able to pay for a domain.

iopq
0 replies
1d19h

I applied for a domain at nic.eu.org in 2023 and I have never gotten a response

toddmorey
3 replies
2d4h

I get .tk was popular because it was free and you do need a home for your website that’s portable across providers (not like a .netlify.app sub).

But like we learned from .af, any of these TLDs technically meant for a country need to be considered ephemeral. You are sort of borrowing it without explicit (or lasting) permission.

samtho
2 replies
2d4h

You are sort of borrowing it without explicit (or lasting) permission.

To be fair, this is true of all domains. The broader concern with ccTLDs is this borrowing dynamic layered with whatever geopolitical situation the country is in, how stable the administering authority is with respect to the current regime, or just the political forces at work within the country that may lead to changes or requirements for the ccTLD within the country are registered. There is often a concern of DNS infrastructure and local bandwidth considerations for the data center in which the root nameservers are housed, assuming they are not outsourcing that.

CydeWeys
1 replies
2d

It's not true of gTLDs though. You actually own those domains, and they can't be taken away from you (barring extreme circumstances) so long as you pay the registration fees every year. But domains on ccTLDs can be taken away from you by the government at any time for any reason.

genewitch
0 replies
1d19h

I gotta say i find it extremely hard to believe that one can "own" a domain. This sounds like hand-waving. We don't own software, we barely own computers (to do with what we want), we don't own media.

Is this like "one can own land" but really that's asterisked with Eminent Domain (no pun intended)?

thih9
3 replies
2d4h

The article presents this as a loss - but cloudflare has a free tier, do we know if these were paid accounts? If cloudflare weren’t going to convert these users then this could be a gain.

PokestarFan
2 replies
2d3h

If the users were using free domains instead of paying for a domain do you think they'd use paid cloudflare? The cost of a domain is so much lower than the cost of Cloudflare.

thih9
0 replies
2d2h

I don’t know and that’s why I’m asking. Not paying for a domain is not a reason enough to expect not paying for cloudflare - these are different services. Also note that even not paying for cloudflare is not enough - I asked whether cloudflare intended to convert that segment.

sltkr
0 replies
1d23h

I could at least imagine a scenario along the lines of: penniless college student creates a site at a .tk domain. Later, the student gets a job so he is no longer penniless, and meanwhile, his site actually becomes popular, so he signs up for cloudflare, maybe even registers a .com domain, but keeps the .tk domain alive because that's where most his traffic is coming from.

Not sure how common that is. But I don't think it's a given that all sites hosted on .tk domains are unwilling to pay, especially not if you consider that they must be somewhat popular if they need a CDN.

(The sort of personal homepage that most of us had back in the 90s would never need a CDN because it would get 5 hits per week.)

mastazi
1 replies
1d17h

Is it safe to assume that these were overwhelmingly on Cloudflare's free tier? I don't expect that someone who gets a domain for free is going to pay for hosting; if that's the case I don't see this as a big loss for Cloudflare, or am I missing something?

creatonez
0 replies
1d12h

I would guess the same, that these are not Cloudflare customers but rather domains that happened to be configured on Cloudflare. CF probably just increased their profit margin a little by no longer handling all those free users.

bastawhiz
1 replies
2d2h

The affected domains represent a big loss for Cloudflare, with .tk, .cf and .gq previously accounting for 23.1% of all domains hosted on its platform – and nearly all of these have now gone.

I'm not sure in what way this is a "loss". I doubt cloudflare is losing money (or revenue) here. Especially if many of these domains are spammy, it seems like this is probably not much of anything for them.

jacurtis
0 replies
1d21h

This was my thought while reading this. Overall I think this is a net-win for CloudFlare. I suspect that exactly 0.00% of the 12.6 million domains they just "lost" were paying customers. Considering the people didn't want to pay for a domain, they probably weren't paying for a CDN either.

I'm sure Cloudflare will be able to wipe away their tears of this loss using the extra dollar bills they have from reducing their bandwidth costs.

zoklet-enjoyer
0 replies
1d20h

My friends and I used cjb.net for our anime website

rurban
0 replies
1d11h

Yeah, I've lost my cannes-ratings.tk around that time without any explanation. Lucky I decided to finally pay for the .org a year before.

nicrtt
0 replies
2d2h

Ahhh, the memories :)

Understandable, but a loss all the same. I'll never forget how proud I felt as a kid when I first had a URL I could give to people.

ncruces
0 replies
2d2h

I had a free website on .tk

When it because moderately successful, they didn't renew, and then wanted 50€/year.

jacurtis
0 replies
1d21h

I'm sure CloudFlare is just reeling from this "loss" of 12.3 Million unpaid customers.

I hope the CEO doesn't drink too much tequila tonight during the celebrations

dancemethis
0 replies
2d1h

Tangentially, Cloudflare REALLY needs to start supporting transferring .moe domains already.

ChrisArchitect
0 replies
2d3h

Is there any other connection to Cloudflare? I thought maybe they were using the .cf domain for their own stuff or something. ;)