domains – Terence Eden’s Blog

Exploring BlueSky's Domain Handles

@edent — Tue, 03 Dec 2024 12:34:57 +0000

Hot new social networking site BlueSky has an interesting approach to usernames. Rather than just being @example you can verify your domain name and be @example.com! Isn't that exciting?

Some people are @whatever.tld and others are @cool.subdomain.funny.lol.fwd.boring.tld

I wanted to know what the distribution is of these domain names. For example, are there more .uk users than .org users?

Shut up and show me the results

You can play with the interactive data

Oh, and the large number of .gy domains is due to The Fediverse Bridge.

Getting the data

BlueSky has an open "firehose" of the data passing through it. Following the sample code I listened for public interactions - people posting, liking, or follows.

From there, I grabbed every username which wasn't on the default .bsky.social domain. I left the code running for a few days until I had over 22,000 usernames.

Note, these data are all public - although I'm not sure if users necessarily realise that. It doesn't include lurkers (people who don't interact). Some of the accounts may have been moved, banned, or deleted.

Drawing a TreeMap

I used Plotly's TreeMap library to draw a static map of all the Top Level Domains (TLD).

As you can see, .com dominates the landscape - but there are quite a few country code TLDs in there as well.

Public Suffixes

Domain names have the concepts of Public Suffixes. For example, users can register domains at .co.uk and .org.uk as well as just plain .uk. The Python tldextract library allowed me to see which domains were public suffixes, so I could attach them to their parent TLD.

I then drew a TreeMap showing this.

Note! You'll need to hack your Plotly installation to allow empty leaf nodes to get in the same style as the first map.

So what? What next?

Not everyone from, say, Brazil will have a .br domain name - but it is fascinating to see which countries dominate.
It might be fun to go full "Information Is Beautiful" and turn each ccTLD into its country's flag.
Are there ethical implications of recording the fact that an account has publicly shared themselves on a social network?
What percentage of all users have a domain name handle?

Get the code

Everything is open source on GitHub.

A few thoughts on domain verification for social media

@edent — Sun, 01 Dec 2024 12:34:24 +0000

Both Mastodon and BlueSky have the concept of "self-verification". Rather than trust a central authority to assess your notability and then bless your account (as Twitter used to do), they let anyone self-attest using Domain Verification⁰.

What does that mean?

You tell the service what your website is.
The service gives you a secret code¹.
You upload that secret code onto your website.
The service checks the secret code is on the website.
If it is, the service says your domain is verified.

On Mastodon, that gives you a green tick next to your link. On BlueSky, it gives you the ability to change your username to your website's name.

This is reasonably strong proof that you are the owner of that website. I don't have the ability to add the secret file I've been given to bbc.co.uk, so I cannot impersonate them.

But it isn't all sunshine and roses. There are some important issues with this process.

Revocation and Revalidation

Let's say an employee has validated alice.big_company.com - what happens when Alice leaves²?

Well, you just delete the secret code from your website, right?

In theory yes. But in practice, no.

From BlueSky:

We're working on adding the ability to revalidate these handles periodically.

And Mastodon:

Verified links are currently verified at each time the profile is updated, but they will only be verified once, when initially entered.

So, at the moment, there is a risk that revalidation isn't completed and revocation never happens³. Accounts which were once trusted may stay trusted, even when they're no longer trustworthy.

Copy Cat Domains

You're chatting with your credit card company's social media account. You see that they've verified the domain.

Wait?! Are they really mastercrrd.info ✅?

There are several practical attacks against humans trying to validate a domain name. A simple misspelling is easy to overlook. There are thousands of top level domains, and you may not be sure if your bank uses .com, .uk, .tech, or something else. It only costs a few quid for an attacker to buy a domain which contains a politician's name.

International domain names mean that homograph attacks are possible.

Humans aren't very clever

Recently, several prominent journalists on BlueSky embarrassed themselves by pronouncing fake accounts to be real. The journalists - with all their resources and contacts - didn't bother to actually verify if the person who registered @KemiBadenoch was really the Leader of the Opposition.

They could have checked her website to see if it linked to the new account. They could have rung up the Tory press office. They could have checked to see if she have verified her account. Or they could have done a dozen other things to verify the facts before posting. They didn't.

These aren't random users blindly reposting. These are highly educated, thoroughly trained fact-finders. Their mission is accuracy and their livelihood depends on being able to report the truth. And yet they just assumed that no one would lie on the Internet.

Would a journalist be able to spot that tailer-swift.fartotron.xyz was an impersonator? I highly doubt it⁴.

Hacks Happen

Even when Twitter was validating celebrities correctly, it didn't stop the accounts getting hacked.

An attacker might compromise your social media account or your domain name registrar.

Just because an account and domain appear verified, it doesn't mean they're legitimate. Is that politician you follow really posting about dietary supplements?

It might be too difficult for large organisation

I've written An Easy Guide To BlueSky Verification. It can be as simple as uploading a single file to your website. Although I have some sympathy for claims that managing the process for hundreds of employees might be difficult.

Based on my calculations around 5% of active BlueSky users have verified their domain.

The alternative isn't much better

Verification is hard. Can an over-worked verification team spot that I've photoshopped a passport so that it looks like someone else's?

There are hundred of famous people called John Williams - which one do you verify?

Also, what are you verifying? In my post on Rethinking Twitter Verification, I pointed out that the ambiguity of verification leads to some weird and non-obvious outcomes.

Final thoughts

There are no simple technological fixes to complex social issues.

But I'm naïve enough to believe that, with time, we can train people to be better at assessing the information they are given.

It is a lot more complicated than that - as per this essay by Christine Lemmer-Webber. ↩︎
Secret in the sense that they only generate it for you. It isn't private. Nothing bad will happen if other people see it. ↩︎
Let's assume she's naughty and doesn't remove the validation herself from her profile. ↩︎
It appears that it takes BlueSky around 2 hour to detect and revoke verification. ↩︎
Prove me wrong. Seriously. So many journalists seem utterly credulous. ↩︎

.ss TLD opening for direct registrations

@edent — Wed, 31 Jul 2024 11:34:05 +0000

It looks like South Sudan's Top Level Domain is going to start allowing direct registrations!

Long-time readers of this blog will know that it's possible to register .me.ss domain names - there are various other 3rd level domains you can buy.

But, from the 1st of August 2024, you'll be able to apply for a 2nd level. So you'll be able to grab example.ss.

Here's the official announcement.

As per normal for a new TLD, there will be a period where organisations with Trade Marks can register their domains. Then a period where anyone with sufficient cash can register their cool idea for a domain. Then it opens up to everyone.

So what will they cost? Afriregister provided these prices:

Period	Domain	Registration	Renewal
Sunrise (2 years)	.ss	€1020	€110
	.co.ss	€610	€60
Landrush (1 year)	.ss	€300	€110
	.co.ss	€160	€60
Early Access (1 year)	.ss	€220	€110
	.co.ss	€160	€60
General (1 year)	.ss	€110	€110
	.co.ss	€60	€60

For comparison, their .me.ss domains are only €25.

Registrations will only be allowed in ASCII - which means no IDNs. The majority of the languages officially recognised in South Sudan appear to be written in the Latin script, so that shouldn't be a huge issue.

As is common with all other TLDs, there is a list of words which will not be allowed to be registered.

Applications will not be accepted for domain names appearing on the Second Level Domain (SLD) block list.

When I previously investigated this, there were lots of names which weren't available due to local politics. Although there is an archived version of the list of banned words (PDF), the modern SLD Block List appears to have vanished from the registry. I've asked them for an updated list which I'll link to once I get it.

I think it is fair to say that the .ss TLD has had a tumultuous history. There hasn't been much discussion of this change in policy since the announcement a few weeks ago - but I hope that this opening up will help South Sudanese people & businesses to establish their own distinct presence on the Internet.

What the UK Government gets wrong about QR codes

@edent — Wed, 20 Mar 2024 12:34:04 +0000

One of my most memorable experiences in the Civil Service⁰ was discussing link shortening services with a very friendly¹ person from the Foreign and Commonwealth Office.

I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the risk of phishing. I needed to take a different tack.

"So, you know how .uk is the UK and .de is Germany, right?"
"Yes."
"What country do you think .ly is for?"

There was some consulting of ISO 3166-1 alpha-2 whereupon the blood drained from their face and they stepped outside to make a phone call.

A little while later, the National Cyber Security Centre published an explainer about why they weren't using bit.ly any more.

Throughout my time in the Civil Service I advocated for the use of .gov.uk URls everywhere. They're a trusted destination for users, they're under Government control so are less likely to be hijacked, and they don't require users to give their data to third parties.

I helped the Government Communication Service write "Link shorteners: the long and short of why you shouldn’t use them."

Today, in the post, I received six QR codes for Government services. Let's take a look at them.

The Good

Policing Surrey have a QR code which points to surrey-pcc.gov.uk/...

Excellent! 10/10! No notes.

Woking Council send out this code which use qr.woking.gov.uk

Brilliant! The use of the qr. subdomain means they can easily track how many people follow the link from the code.

The Bad

Childcare Choices is a leaflet which is, I assume, shoved through everyone's letterbox. All the URls in the leaflet say gov.uk² - but what happens when you scan?

Our old ~~friend~~ enemy Bitly. A user scanning this has no idea where that code will take them. They cannot access the content without giving their data away to Bitly.

Surrey also sent me a leaflet with two different QR codes.

There are many reasons not to use .io. Of particular interest is the scnv.io privacy policy which, if you click that link, you will see is missing from their website! What does this company do with the data of people who scan that code? No one knows!

The Ugly

Surrey police started so well, but the back of their leaflet is a major disappointment.

Aside from using an unintelligible Bitly link, the QR code is inverted. The QR standard is very clear that the codes should be black-on-white. Some scanners will have difficulty scanning these white-on-dark codes. They may look æsthetically pleasing, but it's a pretty rubbish experience if you can't scan them.

Now What?

I've been writing about QR codes for 17 years! I'm thrilled that they've finally caught on. But, like any piece of technology, they need to be used sensibly. The rules are pretty straightforward - mostly boiling down to testing your codes and keeping them simple.

Is there a risk risk of QR hijacking? Possibly. The best defence is to train users to look for a trusted URl.

In this case, using link shorteners is training users to be phished. If they are used to official Government QR codes going to weird locations, they won't notice when a scammer tries to send them to a dodgy site.

Please practice safe QR generation!

I am no longer a Civil Servant. The Government's views are not my own. And vice-versa. ↩︎
But not so friendly that they'd tell me their surname... ↩︎
When I was there, the "Brand Police" were insistent that it should be referred to as GOV.UK in all-caps. The leaflet exclusively uses the lower-case version. Sorry Neil! ↩︎

A quick look inside the HSTS file

@edent — Wed, 03 Jan 2024 12:34:36 +0000

You type in to your browser's address bar example.com and it automatically redirects you to the https:// version. How does your browser know that it needed to request the more secure version of a website?

The answer is... A big list. The HTTP Strict Transport Security (HSTS) list is a list of domain names which have told Google that they always want their website served over https. If the user tries to manually request the insecure version, the browser won't let them. This means that a user's connection to, for example, their bank cannot be hijacked. A dodgy WiFi network cannot force the user to visit an insecure and fraudulent version of a site.

After about a decade of use, the list is now 14MB in size, with around 130,000 entries in it. You can view the list online or download it.

The format is relatively straightforward:

{
 "name": "example.com",
 "policy": "bulk-1-year",
 "mode": "force-https",
 "include_subdomains": true 
},

When the list is updated, Chrome creates a trie with Huffman coding compression - so it doesn't have to parse that monster file each time.

A rummage inside

The most popular (over 1,000 entries) TLDs / Public Suffixes are:

Rank	TLD	Entries
1	com	43,236
2	tk	19,022
3	de	5,216
4	org	4,731
5	gov	4,507
6	net	4,410
7	ga	4,326
8	nl	2,671
9	cf	2,458
10	ml	2,271
11	co.uk	2,139
12	fr	1,714
13	ru	1,516
14	eu	1,283
15	com.br	1,226
16	gq	1,225
17	io	1,215
18	com.au	1,202
19	it	1,103
20	cz	1,004

After .com, the free .tk domain names absolutely dominate. I wonder how many of them are fraudulent?

There are 2,676 .uk domain names - only 537 of which aren't on .co.uk.

Going a bit further, there are 418 IDNs (which start with xn--).

And about 187 have "porn" in the domain.

You can't really extrapolate much from this as a data set. Lots of the domains seem to have expired or otherwise no longer work. Reading around https://hstspreload.org it notes that because this list is hard-coded into Chrome it can take months before a site is added. Similarly, removal can take a long time as well.

I can't help feeling that there should be a better way to manage all this though.

Some more silly Punycode domain names

@edent — Sun, 04 Dec 2022 12:34:45 +0000

You know how it is, you buy one silly domain name and then you get an idea for loads more! A few weeks ago, I got https://⏻.ga/ - I think I'm the first person to get a domain name which uses a glyph from the Miscellaneous Symbols Unicode block. How exciting!

And that got me wondering… what other abuses of the Punycode algorithm can I whack into DNS? Well, here's some I whipped up using FreeNom - they offer free domain names on the .ga TLD (and a few others) and are very liberal in accepting Punycode domains.

There's millions of domains all under one roof

For some reason, the children's retailer "Toys 'R' Us" uses a backwards R in their logo. Presumably because they think kids are stupid and don't know how to form letters.

Or, maybe they're big fans of the reversed letter ᴙ? Either way, Punycode supports that!

I present to you:

https://ToysᴙUs.ga/

Yup! Copy and paste that and it'll work. Webkit based browsers should show the ᴙ in the URl bar - others might show Punycode.

NB: This is not the Cyrillic ya - it is, instead, a homoglyph.

Touch a Touch a Touch a Touch Me

I think this is the world's first domain name written in Braille.

https://⠠⠃⠗⠇.ga

That uses Unified English Braille - with a Grade Two contraction.

Interestingly, I couldn't get any browser to display Braille in the URl bar. The other domains on this page work - but this one just gave the Punycode representation xn--9iii1c8a.ga

These domains go up to 11

Without a doubt, the loudest band in rock and/or roll are the legendary "Spın̈al Tap" - note the dotless I and the heavy-metal umlaut over the N.

Again, Punycode supports that!

https://Spın̈alTap.ga/

Interestingly, this was the only domain that Firefox displayed without converting to Punycode.

Some kind of Einstein

This one combines another trick. As I pointed out in my post about buying a single character domain name, we can abuse Unicode normalisation in our domain names. So the Unicode Superscript block gets automatically converted to regular text.

This means we can have a domain of:

https://e꞊mc².ga/

The "equals" is really "modifier letter short equals sign (U+A78A)" which, surprisingly, doesn't undergo normalisation.

What didn't work

It's always good to share the experiments which didn't produce anything useful. Negative results are results too!

Zalgo Text doesn't work.
🂡 and other playing cards don't work.
I figured trying to use something like xn--hsbccom-oy9d61a would probably get me banned from the Internet pretty quickly!
This didn't open up a portal to the Dark Dimension from which all madness stems. Oh well.

Up next?

If you manage to generate any weird and wonderful domain names, please leave a comment.

Not Quite Emoji Domain Names

@edent — Fri, 04 Nov 2022 12:34:13 +0000

Like all good geeks, I have far too many domain names that I acquired for interesting projects which never took off. My latest is a bit different though.

https://⏻.ga/🔗

That's "Unicode Power Symbol Dot Gabon". Because why not.

Regular readers will know that I helped get ⏻ and several power symbols into Unicode. When I do talks about this, I usually refer to them as Emoji because, to most people, Emoji are simply little pictures in text. But that is a gross oversimplification. You know the meme that real Champagne must be from the Champagne region of France - otherwise it is merely sparkling wine? Well, Emoji must come from the Supplementary Multilingual Plane of Unicode otherwise they're just ✨sparkling✨ characters.

Except... That's not quite true. There are a bunch of symbols stuffed in the Miscellaneous block of the Basic Multilingual Plane which are also Emoji.

The Power Symbol appears in the block Miscellaneous Technical. The symbol itself is not an Emoji, but it is in a block which has 18 Emoji. Confused? Good⁰!

Domain names can only contain the ASCII characters A-Z, 0-9, and -. That's a problem if you speak anything other than basic English. Luckily, there's a workaround! I have a Chinese language domain 莎士比亚.org - through the magic of the Punycode Algorithm, it becomes xn--jlq54w7ypemw.org. This use of non-Latin letters in domains is known as IDN - Internationalised¹ Domain Names.

IDNs have several officially supported "scripts" - for example Thai, Greek, Hebrew, Cyrillic, Chinese etc. Each top level domain (like .uk, .com, .中国) can choose which scripts they'll accept. For example, a Chinese Top Level Domain may only accept Chinese characters and not Greek characters. IANA maintains a list of which domains support which scripts. But it is incomplete. Because it doesn't mention Emoji.

The Punycode algorithm works with emoji. This means you can have Emoji in domain names! Mostly. And that "mostly" is important.

Not every Top Level Domain accepts Emoji domain names (because they hate having fun, I guess?²)

The .ga registry doesn't publish any rules showing which scripts it will accept³. But seems quite happy to take registrations for Punycode domains. So I registered https://xn--soh.ga/ and, after an unusually long delay, it worked!

Does this mean ⏻.ga is an Emoji domain? No! ⏻ is not an Emoji! It is a small pictographic symbol encoded in Unicode.

Does this mean ⏻.ga is an IDN? No! ⏻ is not an international script. It is a language-neutral technical symbol.

So what the fuck kind of domain is it?

Drop an answer in the box bellow.

For more information, please read the Book of Genesis, Chapter 11, verses 1-9. ↩︎
As if English weren't international! ↩︎
But also, quite reasonably, for legitimate security concerns of having Emoji domains. ↩︎
Do let me know if I am wrong. ↩︎

What's the cheapest domain you can register for 10 years?

@edent — Fri, 09 Sep 2022 11:34:22 +0000

I'm concerned about the longevity of the domains I register. I want my domains to be available for as long as possible. But it seems that every year prices rise - and the discount often provided for a new domain rarely continues into subsequent years.

So I recently started renewing them for as long as possible. It turns out that most domains can be registered for a maximum of 10 years⁰.

A typical .uk domain will set you back the thick end of a hundred quid if you want it for a decade! Can I find something cheaper?

There are some free domain services like freenom.com. They'll give you a .ml domain for free. But you'll have to log in every year if you want to renew it. And, as I recently found out, they will sometimes just take away your free name and try to charge you for it.

Similarly, .pp.ua offers free domains to people in Ukraine. They can only be registered for a single year at a time though.

If you want a Top Level Domain which you can renew for a decade, the cheapest appears to be .feedback which costs a smidge under £13 for 10 years.

But, of course, there is a catch! You have to use the .feedback website hosting service which, frankly, looks rubbish.

It doesn't seem to be receiving any updates. I've tried contacting them to see if any improvements are planned, but didn't receive a reply. You can't set your own nameservers, nor can you add MX records or anything useful like that.

The cheapest fully functional domain which you can register for a decade appears to be .cyou from Sav.com at about £23 (US$27.60).

Up next is .stream from Porkbun - you can buy a 10 year domain for ~£30 (US$35.60).

As pointed out on the HackerNews discussion on this post, you can register a .in domain for 10 years for £37.

So, there you have it. For between £23 - £40 you can buy a useful domain name which will stay registered to you for a decade. If you can find anything cheaper - please let me know in the comments.

Of course, paying for hosting for a decade is a different matter!

Do let me know if there are exceptions to this rule which are available to the general public. ↩︎

🔥.me.ss! You can't register emoji domains in South Sudan

@edent — Sun, 25 Jul 2021 11:23:07 +0000

It's useful to share negative results. Not every experiment has an amazing or successful outcome.

tl;dr you can't register Punycode .ss domains.

This also means Internet users in South Sudan can't register domains using their own writing system.

Background

The Republic of South Sudan became independent and joined the United Nations back in 2011. A decade later, and it's now possible to register .ss domains.

Partly due to the history of the letters SS, and partly because of the way domains are usually organised, you cannot register a .ss domain directly. You can have .com.ss, .edu.ss, .biz.ss, .sch.ss, .gov.ss, .net.ss, and - my new favourite - .me.ss!

This allows for some interesting domain hacks. Perhaps host a recipe page for Eton Mess? Or complain about trash at your_town.me.ss?

I was looking at hot.me.ss - but someone already snapped that up. However, the registrar said they allowed Punycode registration. Which means... EMOJI DOMAINS!

So, for €24, Afriregister.com.ss sold me...

🔥.me.ss

For the Punycode minded among you, that's xn--4v8h.me.ss

The process

This wasn't quite as simple as I hoped. There are several registries which claim to support .me.ss - but halfway through the process, they'd decide that they couldn't register it. Some of the registrars outside of Africa wanted extortionate prices for domains. But Afriregister.com.ss were relatively cheap and hassle-free. They let you pay via PayPal.

Domains have to be approved. There is a long list of banned terms. Some of those restrictions are very specific to the people of South Sudan - so it is worth reading.

The failure

The registration still hadn't completed after 12 hours. So the next day I chatted to the registrar.

Damnit!

Looking more closely at nic.ss's registration policies, they say

4.1 All .SS Domain Names MUST have a minimum of THREE (3) characters. 4.2 All .SS Domain Names should not have more than 63 characters. 4.3 All .SS Domain Names should have a syntax pattern of [a-z 0-9].

It didn't explicitly allow or deny hyphens - so I thought I'd risk it.

Oh well, that would have been fun if it worked.

As I said, it's important to publish about things which don't work. It stops other people from wasting their time on futile pursuits.

So, I've now got credit with the registrar. What .me.ss domain should I get?

Buying a single character domain - and 3 character FQDN - for £15

@edent — Sat, 15 Aug 2020 11:34:24 +0000

Short domains are useful for security testing. If you only have a limited number of characters, you need to be able to reference code on a remote server in as few characters as possible.

A few years ago, I tried to find a Minimum Viable XSS. The conclusion that I (and others) came to is that 20 characters is the bare minimum. But it requires you have a 2 character domain name on a 2-character TLD. Something like xy.uk

I don't think any 1- or 2-character domain names are available. If they're for sale, it will be at extortionate price. There are no Top-Level Domains shorter than 2 characters.

So, let's cheat!

This is the story of how I bought a single character domain, and am able to reference it in 3 characters, for the cost of a round of drinks.

Brief History

As I discussed in Domain hacks with unusual Unicode characters - there are a bunch of single Unicode codepoints which are normalised to 2- or 3-character sequences.

For example, ㎐ is the scientific symbol for Hertz. It is a single codepoint (U+3390). When your browser sees it in a domain name, it automatically splits it into the H and z characters. This is called decomposition.

Based on my count, there are about 90 symbols which decompose into 2 characters - for example ™, ㏄, ǳ. There are about 35 symbols which decompose into 3 characters - for example ㎪, ㍹, ﬃ.

But, as mentioned, it is almost impossible to find a cheap 2- or 3-letter domain name.

There are, however, a couple of four character decompositions!

Quidquid latine dictum sit, altum videtur

The Romans didn't use a positional number system. The number 1 was Ⅰ, the number 2 was Ⅱ, the number 9 was Ⅸ.

But - look closely! The Ⅰ is not the English letter I - it is its own, separate, Unicode character (U+2160). And Ⅱ is not two Ⅰs smushed together, it is (U+2161).

When decomposed, however, they return to English letters.

What's the longest Roman numeral captured in a single codepoint?

The number 8 is Ⅷ (U+2167) - which decomposes to V I I I. Four characters!

but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, public health, and a number system suitable for character decomposition what have the Romans ever done for us?

tl;dr TLD

There are a number of Top-Level Domains which can also be represented by a single character.

For example, Australia's TLD .au can be represented by the Astronomical Unit sign ㍳ (U+3373).

Most of those domains were expensive, or unavailable. But I found one which was both cheap and available.

Yes! The orthographic ligature of ﬁ decomposes to f and i. That's the TLD for Finland.

I was able to register a Finnish domain on Gandi for £15.

`Ⅷ.ﬁ`🔗

That's Roman Numeral Eight (U+2167), dot (U+002E), Latin Small Ligature Fi (U+FB01).

Is this useful?

This gives me a Minimum Viable XSS in eighteen characters!