Simon Willison’s Weblog

Subscribe
Atom feed for domains

21 posts tagged “domains”

2025

PyPI: Preventing Domain Resurrection Attacks (via) Domain resurrection attacks are a nasty vulnerability in systems that use email verification to allow people to recover their accounts. If somebody lets their domain name expire an attacker might snap it up and use it to gain access to their accounts - which can turn into a package supply chain attack if they had an account on something like the Python Package Index.

PyPI now protects against these by treating an email address as not-validated if the associated domain expires.

Since early June 2025, PyPI has unverified over 1,800 email addresses when their associated domains entered expiration phases. This isn't a perfect solution, but it closes off a significant attack vector where the majority of interactions would appear completely legitimate.

This attack is not theoretical: it happened to the ctx package on PyPI back in May 2022.

Here's the pull request from April in which Mike Fiedler landed an integration which hits an API provided by Fastly's Domainr, followed by this PR which polls for domain status on any email domain that hasn't been checked in the past 30 days.

# 19th August 2025, 3:36 pm / domains, pypi, python, security, supply-chain

2024

Ask HN: What happens to “.io” TLD after UK gives back the Chagos Islands? This morning on the BBC: UK will give sovereignty of Chagos Islands to Mauritius. The Chagos Islands include the area that the UK calls the British Indian Ocean Territory. The .io ccTLD uses the ISO-3166 two-letter country code for that designation.

As the owner of datasette.io the question of what happens to that ccTLD is suddenly very relevant to me.

This Hacker News conversation has some useful information. It sounds like there's a very real possibility that .io could be deleted after a few years notice - it's happened before, for ccTLDs such as .zr for Zaire (which renamed to Democratic Republic of the Congo in 1997, with .zr withdrawn in 2001) and .cs for Czechoslovakia, withdrawn in 1995.

Could .io change status to the same kind of TLD as .museum, unaffiliated with any particular geography? The convention is for two letter TLDs to exactly match ISO country codes, so that may not be an option.

# 3rd October 2024, 5:25 pm / dns, domains, hacker-news

2022

Every remaining website using the .museum TLD (via) Jonty did a survey of every one of the 1,134 domains using the .museum TLD, which dates back to 2001 and is managed by The Museum Domain Management Association.

# 20th November 2022, 12:53 am / domains, museums

2020

How CDNs Generate Certificates. Thomas Ptacek (now at Fly) describes in intricate detail the challenges faced by large-scale hosting providers that want to securely issue LetsEncrypt certificates for customer domains. Lots of detail here on the different ACME challenges supported by LetsEncrypt and why the new tls-alpn-01 challenge is the right option for operating at scale.

# 26th June 2020, 12:03 am / acme, certificates, domains, thomas-ptacek, tls, fly

2018

The death of a TLD. Sony have terminated their .xperia TLD. Ben Cox used Certificate Transparency logs to evaluate the 11 total TLDs that have been abandoned since the gTLD gold rush started—since HTTPS is becoming the default now these logs of issued certificates are a great indicator of which domains (or TLDs) are being actively used. The only deleted TLD with legitimate looking certificates (apparently for a mail server) was .mcdonalds

# 28th July 2018, 8:07 pm / certificates, dns, domains, tls

Domains Search for Web: Instant, Serverless & Global (via) The team at Zeit are pioneering a whole bunch of fascinating web engineering architectural patterns. Their new domain name autocomplete search uses Next.js and server-side rendering on first load, then switches to client-side rendering from then on. It can then load results asynchronously over a custom WebSocket protocol as the microservices on the backend finish resolving domain availability from the various different TLD providers.

# 26th January 2018, 1:14 am / domains, websockets, zeit-now, microservices

2017

SSL Issuer Popularity. The impressive growth of Let’s Encrypt in one graph: from 4.87% of TLS-enabled domains in May 2016 to 36.68% in November 2017.

# 21st November 2017, 2:44 pm / domains, ssl

2013

What is the best service for web hosting and buying a domain? Is it better to have both under one provider?

No, it’s not better to have both under the same provider. Good web hosts do not necessarily make good DNS hosts and vice versa.

[... 51 words]

2012

How did art.sy get a “.sy” url?

Here’s a generally useful tip: if you’re interested in learning more about ANY top level domain, visit the Wikipedia page for it—which will be http://en.wikipedia.org/wiki/.sy in this case (just add the domain, complete with its dot prefix, directly after en.wikipedia.org/wiki/ ).

[... 105 words]

Are there any disadvantages to using domain hacks for your product website?

If you ever get written up
In the mainstream press you can almost guarantee that they will screw up the URL they publish (by sticking a .com on the end or fixing a deliberate misspelling). Sadly this still seems to be the case after 20 years of the Web!

[... 74 words]

Why is Google indexing & displaying www1 versions of my site and how might I stop this?

You should stop serving your site to the public on multiple subdomains. Configure your site to serve a 301 permanent redirect from www1-www4 to the equivalent page on www—also, make sure that your site accessed without the www redirects to the right place as well.

[... 269 words]

2010

Why don’t more websites use alternative domains?

Because regular human beings don’t understand them, and expect everything to be a .com. Here’s an interesting post from 2007 on why Topix.net spent $1,000,000 buying the .com domain: http://www.skrenta.com/2007/03/k...

[... 45 words]

Is the .ly domain unsafe? Why?

It’s always been unsafe in my opinion. Why build your company around a domain name that’s controlled by the Libyan government?

[... 33 words]

Why do so many Internet sites end with the letter ’r’ (but not ’er’)?  Think about Tumblr, Dopplr, Migratr.  What’s behind this?

We just launched a project called lanyrd, which is a play on lanyard. We partly picked the name because the domain was available, but there’s actually a big advantage to using a made-up word: it’s really easy to search for coverage and feedback on Twitter, Google Blogsearch and the like. The string “lanyrd” is almost exclusively used to discuss our project—had we used a dictionary word, tracking down feedback would have been a lot harder.

[... 105 words]

Some People Can’t Read URLs. Commentary on the recent “facebook login” incident from Jono at Mozilla Labs. I’d guess that most people can’t read URLs, and it worries me more than any other aspect of today’s web. If you want to stay safe from phishing and other forms of online fraud you need at least a basic understanding of a bewildering array of technologies—URLs, paths, domains, subdomains, ports, DNS, SSL as well as fundamental concepts like browsers, web sites and web servers. Misunderstand any of those concepts and you’ll be an easy target for even the most basic phishing attempts. It almost makes me uncomfortable encouraging regular people to use the web because I know they’ll be at massive risk to online fraud.

# 2nd March 2010, 10:16 am / domains, facebook, phishing, security, urls

2008

Dangers of remote Javascript. Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site.

# 20th January 2008, 9:49 am / domains, javascript, nat-torkington, oreilly, perldotcom, security, xss

2007

UK domain registrar 123-Reg crashes and burns, taking its customers with it. I was hit by this yesterday: can anyone recommend an alternative DNS host with a really easy to use interface (I’ve made mistakes modifying DNS in the past) and rock-solid reliability?

# 18th November 2007, 11:24 am / 123reg, dns, domains

Bust A Name. Smart Ajax powered domain search; you give it some words, it shows you available combinations. It’s still almost impossible to find something that doesn’t suck though.

# 20th August 2007, 3:40 pm / ajax, bustaname, domains, rails

FreeYourID.com. A free .name domain for 90 days, with built-in tools for managing e-mail forwarding and your OpenID. Could do with some unobtrusive JavaScript, but they’re really fast at responding to suggestions.

# 13th February 2007, 4:26 pm / domains, freeyourid, openid

Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services.

# 14th January 2007, 1:36 pm / domains, domainsecurity, google, security, xss

2004

TBL on TLDs

Tim Berners Lee (how many TLA celebrities is that now?): New Top Level Domains Considered Harmful. Read the whole thing—Tim blows the .xxx and .mobi proposals out of the water and takes a neat swipe at for-profit registrars in the process. Reading this, the main thing that struck me is how incredibly forward thinking TBL really is. People complain about the long duration of W3C processes and the futuristic nature of the semantic web but the W3C are trying to build technologies that will still be relevant ten or twenty years from now. When you consider the longevity of TCP/IP, this is a really smart strategy. It’s a shame so many people involved with the web have trouble thinking past the next few months.