Don't Let Personal Domains Expire

post by jefftk (jkaufman) · 2022-03-06T02:50:04.343Z · LW · GW · 6 comments

Contents

7 comments

It's common to see advice along these lines:

Don't build your stuff in someone else's sandbox. Get your own domain and point it to whatever service you choose to use. Your email address should be @yourdomain, where you have full control and no one can lock you out. Don't fall into the trap of digital sharecropping.
There are complicated tradeoffs here and different choices will make sense for different people, but it's close to what I do personally. My writing and projects are hosted on my own domain [1] and my email is jeff@jefftk.com.

On the other hand, I don't think this is something to do lightly. Say you register you.example and start going by you@you.example. A few years later you decide this is too much hassle, switch to using you@fastmail.com or you@gmail.com, and let you.example expire. Someone else can register it, send email legitimately as you@you.example, and Angular gets compromised. If there is anywhere you forgot to remove your former email from your profile, now you are open to being impersonated.

This problem isn't unique to personal domains, but it's much more likely: the major email services don't make abandoned email addresses open to reregistration, to avoid exactly this issue.

If you're considering registering a domain to use as your online identity, make sure you're willing to take on the cost and hassle of keeping the domain registered indefinitely.


[1] I do cross-post to Facebook, LessWrong, and occasionally other places. I also rely on them to host discussions on my posts, though I attempt to archive those discussions back on my site.

6 comments

Comments sorted by top scores.

comment by Gunnar_Zarncke · 2022-03-06T09:43:29.770Z · LW(p) · GW(p)

Note that you can lose a domain that you have registered if the domain name "infringes" on some name rights of a big powerful company. This is more likely with abbreviations. Example: The German journalist Wolf-Dieter Roth lost his domain wdr.de and a lot of email contacts going there when the WDR used German name law to take the domain away. Here is the writeup: http://www.dl2mcd.de/domain.html 

So better choose a long domain name or ones that contain your full first and last name.

Replies from: ponkaloupe
comment by ponkaloupe · 2022-03-08T20:34:29.668Z · LW(p) · GW(p)

there’s a lot of ways you can lose a domain. ICANN requires a domain’s WHOIS records (which includes email, tel, and physical address) to be accurate. i don’t have much experience with enforcement, but i think some TLDs are more impacted by this than others — e.g. .us explicitly treats WHOIS records as public and periodically “spot checks” the accuracy of records. [1]

additionally, ownership over the popular .io TLD has been contested in the past. i understand that the DNS root servers themselves are highly decentralized, across continents even, but the smaller TLDs and the registration part of it feels like it might be one of those human systems that relies heavily on norms and pure-hearted authorities.

1: https://www.washingtonpost.com/wp-dyn/articles/A7251-2005Mar4.html

2: https://salt.agency/blog/biot-chagos-islands-risk-to-io-cctld-domains/

Replies from: jkaufman
comment by jefftk (jkaufman) · 2022-03-09T14:27:03.734Z · LW(p) · GW(p)

Another way to lose a domain is choosing a registry that offers low introductory rates but is able to raise them a lot for renewals. This is especially a concern for the newer top level domains, which don't have much in the way of restrictions on pricing.

This, plus management competence, is why I have stuck to com/net/org

comment by lsusr · 2022-03-06T04:35:08.685Z · LW(p) · GW(p)

I have had good experiences with Zoho mail, a webmail client that allows you to connect a custom domain for free.

Replies from: hans-r
comment by Hans R (hans-r) · 2022-03-07T09:02:31.496Z · LW(p) · GW(p)

I've got my email registered there too, but I haven't committed to using it as my main address yet.

It's good to hear a positive experience from your end. Sadly they don't allow IMAP / SMTP access for free. :(

comment by thoughtsOnIdentity · 2022-03-07T20:35:17.938Z · LW(p) · GW(p)

This is a great point I have been considering when trying to figure out how I want to "own" my digital identity and considering different web 2.0, web3/crypto, and IndieWeb options.

I'd like to point out  the mitigating nature of using Multi-Factor Authentication and/or public/private key encryption (ala PGP), for some of the above situations mentioned! Of course these wouldn't replace the directives of 

(1) not letting the domain expire, and 

(2) being sure to carefully remove/update/inform contacts and websites

 but failing both of those, MFA/PGP would help! 

And yes, PGP is neither widespread nor easy (the latter definitely driving the former), and YubiKeys aren't as nearly as ubiquitous as silly SMS 2FA, but my point isn't about the specific implemention. I think the PGP/MFA angle just emphasize to me the importance of accepting that our Digital Identities are very much like Theseus's ship, composed of many planks.  The devil is in the details, of course, on which plank has write access to the others, to mix some metaphors : )

As far as that is concerned, I find it instructive to look at the US's attempts to ameliorate its awful system of "We don't have a national ID because that's oppressive but if you know someone's SSN we think you're definitely the right person!" I would much prefer a National or State level ID with Zero-Knowledge Proof (thanks Silvio Micali!) capability, but in the mean time the admission that "Some combination of personal knowledge, various forms of official identification attained at different points at life (SSN card, Drivers License, Passport), and access to certain other communication channels (SMS, Physical Mail, Backup Email)" represents identity  pretty okay seems philosophically important, even as the hodge-podge, ad-hoc nature of its development has allowed for some awful ("identity theft")[‘Identity theft’? It’s daylight robbery by the banks | David Mitchell | The Guardian] (read: daylight bank robbery but somehow you are responsible for it instead of the bank)