> The domain ... has been suspended due to its blacklisting on Google Safe Browsing
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is 100% on Radix, not on Google. Google and Microsoft can (and probably should) have a registry of known-abusive websites. False positives are inevitable, so these should be taken with a grain of salt, but in most cases they're correct. Their lists are a lot more reliable than those from the "traditional" antivirus/anti-scam vendors that will list anything remotely strange to pump up their numbers.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
Google’s allowed to have an opinion. But that doesn’t mean that the registrar should be suspending the domain immediately in response. These two mechanisms should be decoupled.
Google is stating in a position of authority. It's therefore being stated as at least a professional opinion with the equivalent weight of fact, or representing facts.
If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
Not to mention that the whole point of the list is for blocking in e.g. web browsers. Claiming it is just an opinion would be like a mobster claiming they didn't actually order a hit.
> If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
I agree with this! The registrar should not have triggered a suspension because of this. They're not obligated to, and the two processes should be decoupled.
“unsafe” is a term that is both broader and more vague, so I would consider it opinion unless backed up by appropriate facts (like “contains CSAM”, “contains malware”, and so forth).
They should be held legally culpable for libellous claims they make.
I dont care if their pre-LLM ai says "thingy bad". They are responsible for the scripts or black boxes they control. I dont care if they dont give a reason.
Claiming bad/malicious/etc site is 100% libel. And doubly so, anybody who has been forced to agree to a ToS with binding arbitration should have it removed for libel.
That is the bit that jumped at me immediately too. Why would a registrar take it upon itself to suspend a domain that another entity entirely blacklisted as part of their own completely opaque process? Who is Google? God?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
It's like being unable to get a passport because Microsoft has you on The List, and Microsoft needs to see your passport to check why you're on the list.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
It doesn't sound reasonable to me at all. Why would we think that the reasons google blacklists a domain would align perfectly with reasons a domain name would be suspended? In the end they don't seem to agree already since the domain was unsuspended. Who knows why it was blacklisted by google? Even the decision to unsuspend it looks arbitrary.
I always wonder what the settlement and damages would be if google marked Amazon as a phishing site for even a few minutes.
The problem is that these gatekeepers of the internet respond to false statements of facts/opinions by so called professionals.
I had cloudflare mark a worker as phishing because a AI "security company" thought my 301 redirect to their clients website was somehow malicious. (url redirects are normal affiliate things)
If the professionals don't understand the difference and cloudflare and google blindly block things, this is scary.
(IANAL) It's not about how it's stated, but whether it can be objectively proven to be true or false. "unsafe" refers to the likelihood of something bad happening in the future. You can't prove that something bad will happen in the future, so it's opinion.
Also not a lawyer, but that makes intuitive sense. If I say "that food tastes bad", it's phrased as a fact, but a "reasonable person" (which is in fact a legal test used for some things, although I admit I'm not sure about libel) knows that there's an implicit "...to me" qualifier because the concept of taste itself is inherently subjective. My instinct is that while there are some things everyone would agree on as unsafe, it pretty quickly turns into a judgment call, and it probably makes sense to allow even ill-informed opinions that are made in good faith rather than malice or negligence. The question then becomes whether there's sufficient evidence to conclude something like that, and while the bar is lower for a libel claim than something criminal, it's still not obvious this would be provable here.
This seems like a distinction without difference, given everyone in the ecosystem takes that "opinion" as true fact, including the market-leading browser produced by the "opinion"-haver.
I get that's mostly what corporate lawyers argue about, but it's functionally dishonest in this case.
> The precise legal definition of defamation varies from country to country. It is not necessarily restricted to making assertions that are false, and can extend to concepts that are more abstract than reputation such as dignity and honour. --- https://en.wikipedia.org/wiki/Defamation
However in such countries that don't limit defamation to facts, I believe doing things like posting a negative review of a business opens you up to having to pay damages despite everything you posted being true, verifiable facts.
Side note: My empirical experience is that vanity domains are disliked by some enterprise security systems. I have a friend who owns a .homes domain which ended up being blocked by quad9 as well as the enterprise security system of a friend's work for ~half a year. The block cleared by itself.
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.
> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
Malicious in-attention then, by the profit driven org? :)
I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
The registrar relying on Google Safe Browsing as a “trigger” for suspension is the most horrifying thing I’ve seen in a while. This basically makes the entire TLD unviable for serious use.
These alternative domains are quite popular with the fediverse and other hobbyist-run groups. Affordable domains with somewhat recognisable names still available.
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
I wonder if Radix has unknowingly created a negative feedback loop here. From Google's perspective, the DNS records disappear shortly after being flagged by Safe Browsing, which their heuristics may interpret as scammy behavior.
If it's already in the Console when it gets blacklisted, you can appeal it without having to 'verify' ownership of the domain that, in this case, you no longer control the DNS of, because you completed that process when adding it to Console.
> I don't understand. What is Google Search Console, and should I add all my domains there right now?
Google's way of tying real identifies of people to domains, without making it explicit.
Basically, your domain will be weirdly treated by a bunch of entities, none the less Google themselves, if you don't add your domain there (or some other Google property).
Especially with less common TLDs, like .online, they really want to be able to tie it to some identity, so unless you add it there, eventually your domain ends up on some sort of blacklist, in the case of the author it seems they used the "Google Safe Browsing" blacklist to get the author to involve Google somehow.
I still remember how Google banned my entire account without providing a reason for a small Android app (more than 12 years ago). To this day I have no idea why, it was absolutely green-area fit tracker or something. There was absolutely no way to know the reason or unblock my account. Turned me away from Android development forever.
A relative’s business has had Google reviews frozen for years. Search results show the bad rating after some former customer and spouse left bad reviews several years ago. Appeal went into a black hole. Running a small business is at the pleasure of Silicon Valley.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
I'm not particularly familiar with SEO or the massive black box that is Google Search - is this really as critical as the author makes it seem? I have both .lol and .party domains, both through porkbun (and the TLDs seem to be administrated by Uniregistry and Famous Four Media, respectively), and both are able to be found on Google Search. It seems like this preemtive blacklisting would be the result of some heuristics on Google's end; is .online just one of the "cursed" TLDs like .tk?
> is this really as critical as the author makes it seem?
It is critical in the sense that if you want to appeal the decision in a case like this, it will go much better if you pre-verified that you own the domain.
(I don't think it has much effect on google search placement at all)
But was this because it's .online? I got one and it was fine.
The only issue was the usual trap with all Namecheap domains: They tell you it's all set, and it works, until they randomly email you a week later asking for email verification. If you don't do that promptly, they suspend your domain until you trigger a resend. Which is easy to fix but also strange.
We need to rethink the web so that fewer third parties are involved in things that seem on the surface to be an A-B conversation. To say nothing of the trustworthiness of those parties, having them involved at all is needlessly brittle.
If the domain is being given away for free, it will be used a lot for scams etc, so a lot of systems will just start blocking it immediately. When I got my first domain, I used one of the free TLDs and my university blocked it completely due to it being a scam. Not for any of the content on it, just the TLD being commonly used by scammers
The domain has no history as far as I could search and the site was up for almost 6 weeks with no issues before it was nuked. I used it with Apple's review process!
That’s my question. I’ve launched many fresh websites that have not been marked as unsafe by Google. If they were habitually doing this, there would be far more reports of it.
I suspect there is something the author is not telling us.
The big scary red warning page should at least tell you it’s phishing or malware or something else. OP didn’t have a screenshot of that. You can easily go to a safe browsing test site yourself at testsafebrowsing.appspot.com and find that Google does divulge the category of the blacklisting.
OP says:
> no gore or violence or anything of that sort
That’s not even the right criteria. OP is confused about Google Safe Browsing vs Safe Search.
That sounds like a competitor of yours manually submitting your site to Google for “impersonating” them or something. Anyone can submit URLs to Google to suggest it be blocked: https://safebrowsing.google.com/safebrowsing/report_phish/ Perhaps some overworked underpaid analyst had a lapse of judgement. I’m sorry that this happens to you.
The problem isn't Google Safe Search backlisting the side (I mean that also is a problem, but a very different one).
The problem is the vanity domain registrar Radix using that as a reason to _put the whole domain on hold, including all subdomains, email entries etc._
This means:
- no way to fix accidental wrong "safe search" blacklisting
- if it was your main domain no mails with all the things it entails
- no way to redirect API servers, apps etc. to a different domain. In general it's not just the website which it's down it's all app, APIs, or anything you had on that domain
Google Safe search is meant to help keep chrome users safe from phishing etc. it is fundamentally not designed to be a Authority Institute which can unilaterally dictate which domains are no longer usable at all.
Like basically what Radix did was a full domain take down of the kind you normally need a judge order for... cause by a safe browsing helper service misfiring. That is is RALLY bad, and they refuse to fix their mistake, too.
You normally don't have _that_ level of fundamentally broken internal processes absurdity with the more reputable TLD operators (which doesn't mean you don't have that in edge cases, but this isn't an edge case this is there standard policy).
The registrar suspense domain because it on Google blocked list. And Google refuse to review the ban because he can't prove he own that domain (because it suspended :D).
My understanding from the article is that because the registrar for this domain is using Google safe browsing for their domain suspension, something that a) shouldn't be the case and b) isn't the case for other, perhaps more mainstream TLDs
> Freenom’s terms of service allowed them to “cancel” a free domain at any time without warning. Users reported for years that as soon as their free site started getting significant traffic (and becoming valuable), Freenom would reclaim the domain and fill it with ads, effectively hijacking the user’s hard work.
At least for the last few years of Freenom, you could only get a domain for up to a year. Once that lapsed, they parked it and you had to pay to extend it further.
yeah same here. I canceled my account on name.com because I had previously obtained a .art domain maybe for ~15-20 USD / yr. Then they wanted $50 USD a year to extend it. No thanks, dropped the domain and moved to namecheap
tried to roll my own email server on a .xyz domain...basically a big no go, couple of emails went through, then nothing, just a black hole. Thanks corpos and the safety theatre.
> Update: Within 40 minutes of posting this on HN, the site has been removed from Google's Safe Search blacklist. Thank you, unknown Google hero! I've emailed Radix to remove the darn serverHold.
I wouldn't party too soon - from my experience getting something removed from Google's libel machine doesn't mean the same process that put it there in the first place is fixed and it you will most likely go through the same thing again and again.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is just another way how Google has inserted themselves as the gatekeeper of the web.
One time I bought a .dev domain, which is/was run by Google, and after missing the renewal deadline by less than 24 hours, the renewal price jumped from less than $30, to $800.
That’s not fair. Google has no hesitation in banning its own customers either. Combine this with private equity vultures (namecheap) and shitty registrar, you are always one AI token away from being banned.
So, how is this not libel by Google? The claim was that you were running an "unsafe site". Its their job to prove that, and not just "black box says so".
And you have system and reputational damages.
Go for small claims suit, $5000. It'll cost more than that for their attorney to go to your jurisdiction.
because google safe browsing is only supposed to display a "not safe to browse" warning when using chrome browsers (and maybe some other browsers) wich you can (theoretically) dismiss(1)
it's not meant to have any other consequences
so basically what happens is that because of hearsay of google thinking you site is not bad Radix does what normally should involve a judge order (taking down the whole domain)
(1): Yes that still would cause damages on any site with customers, but like way less and way more fixable then what happened here.
This sounds like something ICANN should prevent. Is this not against ICANN rules? These fuckers ban emoji domains, maybe they should ban registries from arbitrarily stealing domains with no recourse. Maybe write to them and see if they can move something.
There are always the actual country TLDs, which (mostly) have specific regulations governing their use, and an actual government body to appeal to in case of unsolvable issues like this
The .com purist advice is sound but you're not getting four-letter domain names that way, and in some ccTLD zones you can still.
I was price-gouged out of owning a single, rare .icu domain when renewal fee for it went from 20 usd to 220 usd overnight, just for this one domain... I'm pretty sure it's not Gandi, but the TLD opetator, because other .icu domains I've had were fine. I decided to eventually abandon them all anyway. Moved away from Gandi later when they started doing gouging of their own, too.
I think that it's a good thing when domains aren't their main source of income. It gives them more incentive to provide good, stable experience and pricing.
Hot Take: the proactive action of the registrar here is probably more beneficial than the number of false positives captured. If the registrar is aware that Google is hot on blocking potentially harmful sites, it's right that they take action expeditiously.
The bigger problem is the unbanning - for which there should be a better system, probably that should take the form of the registrar having a short grace period to aid in the Google stuff (DNS verification etc.) with additional checks by the registrar to make sure it's not being used for spam/malicious content.
The other point being why was Google banning you so quickly? This is the opaque part. Was the site reported? Was there some URL hijinks? That's the thing you'll probably never find out.
The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?
> Add a DNS TXT or a CNAME record.
I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.
The registry cannot ban individual record types. That is not how DNS works.
The registry only maintains a list of NameServers associated with the domain (and records for DNSSEC zone signing). Registries have nothing to do with regular records. They only record who defines those records.
There is _some amount_ of justification to ban TXT. There have been a few cases of C2 servers using DNS to send instructions to malware, so letting TXT slip through the cracks would still allow for that.
Now whether this downside justifies the massive problem it causes on false positives...
TXT can't be banned. There are several RFCs that require TXT records, such as DKIM configuration, DMARC configuration, and it is extensively used for verification by things like AWS SES, Microsoft Office, and all kinds of things. It's built into many standards and used by all kinds of other entities for all kinds of perfectly legitimate things.
they didn't "just" take down the site, they took down the whole domain
Even google safe search isn't blocking you site per-se, it just adds a very annoying "this site is not safe" dialog you can "somehow" bypass (but most people wont and don't know how).
Like if this where the main site of a company (which it very much could be) this would also have taken down mail, all APIs, all Apps relying on such APIs.
so no this is absurdly unreasonable actions
that they seem to neither know nor care that this makes it impossible to "fix" false positives with google isn't helpful put this in the area of high levels of negligence which can get you into a lot of trouble in the EU
> The domain ... has been suspended due to its blacklisting on Google Safe Browsing
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
Yet more monopolistic power to Google.
This is 100% on Radix, not on Google. Google and Microsoft can (and probably should) have a registry of known-abusive websites. False positives are inevitable, so these should be taken with a grain of salt, but in most cases they're correct. Their lists are a lot more reliable than those from the "traditional" antivirus/anti-scam vendors that will list anything remotely strange to pump up their numbers.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
Google’s allowed to have an opinion. But that doesn’t mean that the registrar should be suspending the domain immediately in response. These two mechanisms should be decoupled.
Google should not be allowed to make libelous statements without consequences.
(IAAL but this is not legal advice.)
It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.
Maybe libel is the wrong term, but erroneously marking a website as unsafe can lead to damages.
Google is stating in a position of authority. It's therefore being stated as at least a professional opinion with the equivalent weight of fact, or representing facts.
If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
Not to mention that the whole point of the list is for blocking in e.g. web browsers. Claiming it is just an opinion would be like a mobster claiming they didn't actually order a hit.
> If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
I agree with this! The registrar should not have triggered a suspension because of this. They're not obligated to, and the two processes should be decoupled.
How is it any more of an opinion to "mark" a website as "unsafe" than say, "contains CSAM"?
“contains CSAM” is likely an unarguable fact.
“unsafe” is a term that is both broader and more vague, so I would consider it opinion unless backed up by appropriate facts (like “contains CSAM”, “contains malware”, and so forth).
One is disprovable, the other is not.
They should be held legally culpable for libellous claims they make.
I dont care if their pre-LLM ai says "thingy bad". They are responsible for the scripts or black boxes they control. I dont care if they dont give a reason.
Claiming bad/malicious/etc site is 100% libel. And doubly so, anybody who has been forced to agree to a ToS with binding arbitration should have it removed for libel.
> Claiming bad/malicious/etc site is 100% libel.
No it isn't. https://www.law.cornell.edu/wex/defamation
Please, use words correctly.
That is the bit that jumped at me immediately too. Why would a registrar take it upon itself to suspend a domain that another entity entirely blacklisted as part of their own completely opaque process? Who is Google? God?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
It's like being unable to get a passport because Microsoft has you on The List, and Microsoft needs to see your passport to check why you're on the list.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
You know it's getting bad out there when corporations act like the government.
It's like the domain registrar is acting like a vassal state. I don't think Google actually has any say in their decision.
> Why would a registrar take it upon itself to
Because keeping Google happy or at least not bothered is an existential priority for registrars
Well until a human can verify.
Which likely is slow without a poke it's reasonable to base the decision on whats available.
That's just how reputation works.
It doesn't sound reasonable to me at all. Why would we think that the reasons google blacklists a domain would align perfectly with reasons a domain name would be suspended? In the end they don't seem to agree already since the domain was unsuspended. Who knows why it was blacklisted by google? Even the decision to unsuspend it looks arbitrary.
and anyone that trusts googles judgement here clearly needs a reputation of their own
How was this Google’s fault? Seems clearly like Radix’s fault.
It's both's fault. Google for making false and clearly damaging statements (libel) and Radix for acting on them.
(IAAL but this is not legal advice.)
It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.
I always wonder what the settlement and damages would be if google marked Amazon as a phishing site for even a few minutes.
The problem is that these gatekeepers of the internet respond to false statements of facts/opinions by so called professionals.
I had cloudflare mark a worker as phishing because a AI "security company" thought my 301 redirect to their clients website was somehow malicious. (url redirects are normal affiliate things)
If the professionals don't understand the difference and cloudflare and google blindly block things, this is scary.
It's being stated as fact, not as an opinion.
(IANAL) It's not about how it's stated, but whether it can be objectively proven to be true or false. "unsafe" refers to the likelihood of something bad happening in the future. You can't prove that something bad will happen in the future, so it's opinion.
Also not a lawyer, but that makes intuitive sense. If I say "that food tastes bad", it's phrased as a fact, but a "reasonable person" (which is in fact a legal test used for some things, although I admit I'm not sure about libel) knows that there's an implicit "...to me" qualifier because the concept of taste itself is inherently subjective. My instinct is that while there are some things everyone would agree on as unsafe, it pretty quickly turns into a judgment call, and it probably makes sense to allow even ill-informed opinions that are made in good faith rather than malice or negligence. The question then becomes whether there's sufficient evidence to conclude something like that, and while the bar is lower for a libel claim than something criminal, it's still not obvious this would be provable here.
This seems like a distinction without difference, given everyone in the ecosystem takes that "opinion" as true fact, including the market-leading browser produced by the "opinion"-haver.
I get that's mostly what corporate lawyers argue about, but it's functionally dishonest in this case.
Which is why:
> The precise legal definition of defamation varies from country to country. It is not necessarily restricted to making assertions that are false, and can extend to concepts that are more abstract than reputation such as dignity and honour. --- https://en.wikipedia.org/wiki/Defamation
However in such countries that don't limit defamation to facts, I believe doing things like posting a negative review of a business opens you up to having to pay damages despite everything you posted being true, verifiable facts.
Side note: My empirical experience is that vanity domains are disliked by some enterprise security systems. I have a friend who owns a .homes domain which ended up being blocked by quad9 as well as the enterprise security system of a friend's work for ~half a year. The block cleared by itself.
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
Someone constantly adds my Gmail address as their Gmail account's backup address.
I constantly remove it whenever Gmail sends me the notification.
I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.
I logged in several times to other people's accounts and reset their passwords. But it's too tiring, people keep adding my email.
I hope it's because I have small simple email and not because they want to steal it.
No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.
> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
Malicious in-attention then, by the profit driven org? :)
What is the word for harming other people in order to make more money for yourself, if not "malicious"?
With AI these days it’d cost almost zero money. /s
I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
The registrar relying on Google Safe Browsing as a “trigger” for suspension is the most horrifying thing I’ve seen in a while. This basically makes the entire TLD unviable for serious use.
The followup from that would appear to be don't use any domain that Radix controls.
Who said serious use is their business model though.
The TLD owner in this case was Radix, which also owns
.store .online .tech .site .fun .pw .host .press .space .uno .website
https://radix.website/
They seem to be almost always associated with scam sites.
So, might as well to block entire TLDs and never buy a domain under those TLDs
The only .fun site I know is neal.fun, which regularly features on the front page here: https://news.ycombinator.com/from?site=neal.fun
These alternative domains are quite popular with the fediverse and other hobbyist-run groups. Affordable domains with somewhat recognisable names still available.
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
Because they are very cheap. If you are a scammer, why pay $5 for a domain when you can buy one of these for $1.
I use them when I need a random domain.
I wonder if Radix has unknowingly created a negative feedback loop here. From Google's perspective, the DNS records disappear shortly after being flagged by Safe Browsing, which their heuristics may interpret as scammy behavior.
One conclusion is:
> Not adding the domain to Google Search Console immediately.
I don't understand. What is Google Search Console, and should I add all my domains there right now?
https://search.google.com/search-console
And yes, you probably should, if only to pre-register your ownership thereof if google ever decides to nuke you from orbit
But if Google decides to nuke me from orbit, and my domain is registered there, the nuke can cross between my domain and my Google account.
Well, yeah, that's digital monopolies for you. I guess one can always create a dedicated google account to register each site with
Google ties your accounts together on the backend though if they realise they're related, so this isn't as easy as it sounds.
If it's already in the Console when it gets blacklisted, you can appeal it without having to 'verify' ownership of the domain that, in this case, you no longer control the DNS of, because you completed that process when adding it to Console.
> I don't understand. What is Google Search Console, and should I add all my domains there right now?
Google's way of tying real identifies of people to domains, without making it explicit.
Basically, your domain will be weirdly treated by a bunch of entities, none the less Google themselves, if you don't add your domain there (or some other Google property).
Especially with less common TLDs, like .online, they really want to be able to tie it to some identity, so unless you add it there, eventually your domain ends up on some sort of blacklist, in the case of the author it seems they used the "Google Safe Browsing" blacklist to get the author to involve Google somehow.
Can't answer if you should add them or not...
But if you do - you would get some notifications from Google about that website/domain.
I've only ever seen emails of the "There's an increase in 4xx/5xx errors on site/page(s)"
https://search.google.com/search-console/about. Yes. It gives you options in cases as described here.
Was called webmastertools before.
To request a formal review, you must be a verified owner in Search Console.
By adding your site to there you can get data on how many clicks & impressions your site received on google, what keywords it ranks for etc.
You can also request Google to index your site on GSC as well.
You should probably add your websites to GSC.
We posted this warning on HN before: https://news.ycombinator.com/item?id=40195410
We struggled a lot when we opted for the .online domain for https://pinggy.io urls
I still remember how Google banned my entire account without providing a reason for a small Android app (more than 12 years ago). To this day I have no idea why, it was absolutely green-area fit tracker or something. There was absolutely no way to know the reason or unblock my account. Turned me away from Android development forever.
A relative’s business has had Google reviews frozen for years. Search results show the bad rating after some former customer and spouse left bad reviews several years ago. Appeal went into a black hole. Running a small business is at the pleasure of Silicon Valley.
Same shit happend to me - got my google account blocked overnight and locked out of most of my digital life. Learned my lesson and ungoogled asap.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
I'm not particularly familiar with SEO or the massive black box that is Google Search - is this really as critical as the author makes it seem? I have both .lol and .party domains, both through porkbun (and the TLDs seem to be administrated by Uniregistry and Famous Four Media, respectively), and both are able to be found on Google Search. It seems like this preemtive blacklisting would be the result of some heuristics on Google's end; is .online just one of the "cursed" TLDs like .tk?
> is this really as critical as the author makes it seem?
It is critical in the sense that if you want to appeal the decision in a case like this, it will go much better if you pre-verified that you own the domain.
(I don't think it has much effect on google search placement at all)
But was this because it's .online? I got one and it was fine.
The only issue was the usual trap with all Namecheap domains: They tell you it's all set, and it works, until they randomly email you a week later asking for email verification. If you don't do that promptly, they suspend your domain until you trigger a resend. Which is easy to fix but also strange.
We need to rethink the web so that fewer third parties are involved in things that seem on the surface to be an A-B conversation. To say nothing of the trustworthiness of those parties, having them involved at all is needlessly brittle.
Why was the domain blacklisted though? What can we do to prevent blacklisting in the first place?
If the domain is being given away for free, it will be used a lot for scams etc, so a lot of systems will just start blocking it immediately. When I got my first domain, I used one of the free TLDs and my university blocked it completely due to it being a scam. Not for any of the content on it, just the TLD being commonly used by scammers
Probably cause of things like "southwest.online"
Most definitely nothing, as no sentient humans are probably involved in the process except possibly malicious people that report a site in bad faith.
From false alarm to something previous owner did. Remember domain is recycled.
The domain has no history as far as I could search and the site was up for almost 6 weeks with no issues before it was nuked. I used it with Apple's review process!
That’s my question. I’ve launched many fresh websites that have not been marked as unsafe by Google. If they were habitually doing this, there would be far more reports of it.
I suspect there is something the author is not telling us.
The big scary red warning page should at least tell you it’s phishing or malware or something else. OP didn’t have a screenshot of that. You can easily go to a safe browsing test site yourself at testsafebrowsing.appspot.com and find that Google does divulge the category of the blacklisting.
OP says:
> no gore or violence or anything of that sort
That’s not even the right criteria. OP is confused about Google Safe Browsing vs Safe Search.
I just wanted to cover all the bases. The site has one outgoing link to the App Store and 3 screenshots.
That sounds like a competitor of yours manually submitting your site to Google for “impersonating” them or something. Anyone can submit URLs to Google to suggest it be blocked: https://safebrowsing.google.com/safebrowsing/report_phish/ Perhaps some overworked underpaid analyst had a lapse of judgement. I’m sorry that this happens to you.
This is one of the pains of centralization. And honestly, it could happen with any TLD.
Unfortunate story. It wasn't clear to me that the .online TLD led to Google blacklisting the site. Why did you think that was connected?
The problem isn't Google Safe Search backlisting the side (I mean that also is a problem, but a very different one).
The problem is the vanity domain registrar Radix using that as a reason to _put the whole domain on hold, including all subdomains, email entries etc._
This means:
- no way to fix accidental wrong "safe search" blacklisting
- if it was your main domain no mails with all the things it entails
- no way to redirect API servers, apps etc. to a different domain. In general it's not just the website which it's down it's all app, APIs, or anything you had on that domain
Google Safe search is meant to help keep chrome users safe from phishing etc. it is fundamentally not designed to be a Authority Institute which can unilaterally dictate which domains are no longer usable at all.
Like basically what Radix did was a full domain take down of the kind you normally need a judge order for... cause by a safe browsing helper service misfiring. That is is RALLY bad, and they refuse to fix their mistake, too.
You normally don't have _that_ level of fundamentally broken internal processes absurdity with the more reputable TLD operators (which doesn't mean you don't have that in edge cases, but this isn't an edge case this is there standard policy).
The registrar suspense domain because it on Google blocked list. And Google refuse to review the ban because he can't prove he own that domain (because it suspended :D).
My understanding from the article is that because the registrar for this domain is using Google safe browsing for their domain suspension, something that a) shouldn't be the case and b) isn't the case for other, perhaps more mainstream TLDs
Are there any other TLDs that are of this ilk or are we saying nothing but .com will ever do? Or .org, perhaps?
It's not exactly the same, but a lot of owners of weird TLDs have got hit with insane renewal fees,.hosting went from $20/y to $300/y overnight.
Also, some TLDs directly speculate on having very low prices for the first year or two, then 10x it on year 2 or 3.
I would love a list of Radix TLDs or registrars who do this Safe Browsing ban with no appeal.
Also, go figure Namecheap works with these morons.
from their site (radix.website):
.store, .online, .tech, .site, .fun, .pw, .host, .press, .space, .uno, .website
not sure about other registrars
The ones used by freenom were particularly abused:
https://prezkennedy.com/2026/01/15/the-free-domain-trap-the-...
> Freenom’s terms of service allowed them to “cancel” a free domain at any time without warning. Users reported for years that as soon as their free site started getting significant traffic (and becoming valuable), Freenom would reclaim the domain and fill it with ads, effectively hijacking the user’s hard work.
Oh, sh!t, I used to own a .tk! Have no idea what happened to it.
At least for the last few years of Freenom, you could only get a domain for up to a year. Once that lapsed, they parked it and you had to pay to extend it further.
Some of these TLD also get thrown under weird arbitrary blacklists by security vendors.
Sorry, can’t buy a frame.work laptop because that’s a “Malicious TLD”, according to the folks at ZScaler.
Last year, my registrar wanted €64,99 to extend an online domain which I had created for fun.
No thanks.
yeah same here. I canceled my account on name.com because I had previously obtained a .art domain maybe for ~15-20 USD / yr. Then they wanted $50 USD a year to extend it. No thanks, dropped the domain and moved to namecheap
If the price increase was from the registrar and not the registry you should have been able to move to a different registrar with saner prices.
tried to roll my own email server on a .xyz domain...basically a big no go, couple of emails went through, then nothing, just a black hole. Thanks corpos and the safety theatre.
Call me a luddite but if it isn't one of the original big TLDs, a country TLD, or similar, I just don't trust it for anything serious.
Having .online already 5 years. No problems with email or website. Don’t understand that blog post. More problems can be with .xyz
> Update: Within 40 minutes of posting this on HN, the site has been removed from Google's Safe Search blacklist. Thank you, unknown Google hero! I've emailed Radix to remove the darn serverHold.
I wouldn't party too soon - from my experience getting something removed from Google's libel machine doesn't mean the same process that put it there in the first place is fixed and it you will most likely go through the same thing again and again.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is just another way how Google has inserted themselves as the gatekeeper of the web.
One time I bought a .dev domain, which is/was run by Google, and after missing the renewal deadline by less than 24 hours, the renewal price jumped from less than $30, to $800.
Google have way too much power to mess people's lives up. Especially for an organisation with basically zero customer support.
I blame both the registry and Google.
If you were a lawyer, you could have fun with this.
Btw, perhaps unrelatedly, we had a domain marked as unsafe by Google as well for no particular reason.
A great reminder even if you aren't a Google customer, Google's love of banning people with no notice or recourse will still screw you over.
I'm shocked there was no notification, or alert, of any kind. One moment you're there, the next, you're gone and no one will talk to you. Insanity.
That’s not fair. Google has no hesitation in banning its own customers either. Combine this with private equity vultures (namecheap) and shitty registrar, you are always one AI token away from being banned.
Shit, didn’t know that namecheap was acquired by PE! Very sad news. Is there any registrar left that isn’t crap?
Porkbun is not bad, Gandi has fallen as well.
Not sure how you feel about them as a company, but I use Cloudflare because they sell domains at cost.
Dynadot
Another case of Google extorting users and showing mafia-like behaviour.
So, how is this not libel by Google? The claim was that you were running an "unsafe site". Its their job to prove that, and not just "black box says so".
And you have system and reputational damages.
Go for small claims suit, $5000. It'll cost more than that for their attorney to go to your jurisdiction.
It’s not libel. Defamation requires a false statement of fact. Claiming a website is “unsafe” is an opinion.
(IAAL, but this is not legal advice. Consult a licensed attorney for legal advice.)
because google safe browsing is only supposed to display a "not safe to browse" warning when using chrome browsers (and maybe some other browsers) wich you can (theoretically) dismiss(1)
it's not meant to have any other consequences
so basically what happens is that because of hearsay of google thinking you site is not bad Radix does what normally should involve a judge order (taking down the whole domain)
(1): Yes that still would cause damages on any site with customers, but like way less and way more fixable then what happened here.
This is libel, indeed.
“never buy a non-.(com|net|org) domain”
ftfy
I agree, but if I ever get a chance at .edu, .mil, or .gov I'm gonna take it.
This sounds like something ICANN should prevent. Is this not against ICANN rules? These fuckers ban emoji domains, maybe they should ban registries from arbitrarily stealing domains with no recourse. Maybe write to them and see if they can move something.
honestly all of these weird tld are expensive in the long term i dont see the point of getting them
I don’t know that the advice is solid in terms of never buying an alternate TLD.
There are always the actual country TLDs, which (mostly) have specific regulations governing their use, and an actual government body to appeal to in case of unsolvable issues like this
The .com purist advice is sound but you're not getting four-letter domain names that way, and in some ccTLD zones you can still.
I was price-gouged out of owning a single, rare .icu domain when renewal fee for it went from 20 usd to 220 usd overnight, just for this one domain... I'm pretty sure it's not Gandi, but the TLD opetator, because other .icu domains I've had were fine. I decided to eventually abandon them all anyway. Moved away from Gandi later when they started doing gouging of their own, too.
What is HN's opinion on Dynadot?
Yeah, what the heck happened to Gandi? It used to be my go-to, but nowadays... yikes!
They got sold to private equity, unfortunately. I switched to Bookmyname (by Scaleway) for some TLDs, and Infomaniak for others.
Can we trust Cloud registrars like Bookmyname/Scaleway, Amazon Route 53, Cloudflare more than Namecheap, Gandi and co?
I think that it's a good thing when domains aren't their main source of income. It gives them more incentive to provide good, stable experience and pricing.
Private equity cancer, same as Namecheap.
Reddit's r/namecheap is also full of horror stories.
Enshittification at its peak (or is it at its peak already?)
There is no peak, because it's a hole, and we can always dig deeper.
OP shouldn't blame .online registry operator Radix.
It's literally 100% Radix's fault?
Because? It seems like the blame is very squarely on their shoulders.
Hot Take: the proactive action of the registrar here is probably more beneficial than the number of false positives captured. If the registrar is aware that Google is hot on blocking potentially harmful sites, it's right that they take action expeditiously.
The bigger problem is the unbanning - for which there should be a better system, probably that should take the form of the registrar having a short grace period to aid in the Google stuff (DNS verification etc.) with additional checks by the registrar to make sure it's not being used for spam/malicious content.
The other point being why was Google banning you so quickly? This is the opaque part. Was the site reported? Was there some URL hijinks? That's the thing you'll probably never find out.
Relying on Google for this is actually not beneficial, as discussed here many times: https://hn.algolia.com/?q=Google+safe+browsing
If the registrar tracks this information, a possibly helpful course of action would be to notify or warn the domain owner that they are on the list.
In the modern adversarial web, I do not want a registrar that proactively disables my domain because of some third party report.
> The bigger problem is the unbanning
The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?
> Add a DNS TXT or a CNAME record.
I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.
The registry cannot ban individual record types. That is not how DNS works.
The registry only maintains a list of NameServers associated with the domain (and records for DNSSEC zone signing). Registries have nothing to do with regular records. They only record who defines those records.
There is _some amount_ of justification to ban TXT. There have been a few cases of C2 servers using DNS to send instructions to malware, so letting TXT slip through the cracks would still allow for that.
Now whether this downside justifies the massive problem it causes on false positives...
TXT can't be banned. There are several RFCs that require TXT records, such as DKIM configuration, DMARC configuration, and it is extensively used for verification by things like AWS SES, Microsoft Office, and all kinds of things. It's built into many standards and used by all kinds of other entities for all kinds of perfectly legitimate things.
yes, but in that cases we are on the "this (should) involve a criminal investigation" level not on a "Google Safe Search" doesn't trust you level
they didn't "just" take down the site, they took down the whole domain
Even google safe search isn't blocking you site per-se, it just adds a very annoying "this site is not safe" dialog you can "somehow" bypass (but most people wont and don't know how).
Like if this where the main site of a company (which it very much could be) this would also have taken down mail, all APIs, all Apps relying on such APIs.
so no this is absurdly unreasonable actions
that they seem to neither know nor care that this makes it impossible to "fix" false positives with google isn't helpful put this in the area of high levels of negligence which can get you into a lot of trouble in the EU