I'll never use GoDaddy. They've been fronting their customers for literally decades. Few times I searched for a domain, the next day I search for it find it already reserved by them and on sale for hundreds of dollars instead of the regular $10 it was the day before. They've been abusing their power for as long as they've been in business.
> Few times I searched for a domain, the next day I search for it find it already reserved by them and on sale for hundreds of dollars instead of the regular $10 it was the day before.
I don't understand how that could possibly be profitable. Imagine how many searches there must be for new domains every day. There is no way they could afford to buy all of the domains that people searched for.
And if they had any means of measuring how "good" a domain name is, in order to filter the searches that people make, and front run only the ones looking for good domain names – I don't think that would make sense either. If you were able to reliably measure how good a domain name was you could just buy the domain name right away without waiting for any customers to search for the domain.
Anyway, for anyone that is looking for a registrar to use I recommend that you stay away from GoDaddy. Register your domains with Gandi.net, they are nice and good. https://www.gandi.net/en-GB
Godaddy is a crappy company for many reasons, but this seems like something that's trivially testable. If they were really front running domains, anyone could spend an hour typing domains in and see a bunch of them mysteriously registered by godaddy the next day. Has nobody done that? Why can't I find any blogs where this was attempted?
This happens a lot. Godaddy comes up in the news, someone accuses them of front-running, someone else investigates the accusation and finds that the allegation in question was definitely not the result of front-running.
I have no information on whether they are or aren't front-running, but every time I've seen a specific allegation, it's been disproven. That doesn't make it factual either way, but I like Godaddy for enough other reasons to not use them, so I don't particularly care if they are or aren't, but I've yet to see a specific allegation be found credible.
> I am able to see that the registrant is based in New York. GoDaddy is based in Arizona. (...) From what I can see, it does not look like the domain name is listed for sale via GoDaddy or its network.
Doesn't sound like much of an investigation. It has happened to so many people (including myself) that either they do it themselves, allow third party access to domain search or their employees are able to do it.
If you can disprove the allegation in a single step, not much of an investigation is needed.
But like I said, these allegations crop up all the time, and investigations are done all the time, and every single time I have seen them, they have been quickly disproven. I am not an oracle, so it's possible that I've missed the cache of definite proof that exists, but I have seen lots and lots of debunking of the notion.
To your point though, there are numerous ways that could make someone feel like they were front-run, whether or not they had been.
* Before the ubiquity of SSL, I think it was common for people to buy search traffic from ISPs. If there were domain-squatters paying for this data, it would be trivial for them to buy anonymous traffic data, filter by "godaddy.com?domain=" and collate the reports. If they also cross-referenced the ${domain} part of that query with the number of people who attempted to go to ${domain}, it would be a good signal that owning ${domain} could be profitable
* Obviousness. It's not always, but often enough that when I see these allegations arise, they're related to The New Thing. e.g., 3 years ago, a lot of people felt like they were front-run for domains they were considering that started with "nft," or "crypto." Now, I'd wager that a lot of people feeling like they were front-run were considering domain names with "ai" in them.
* Selling search volume. I have no idea if Godaddy is or isn't doing this, but it's definitely a possibility. If they are, it isn't front-running, but the effect is just as nefarious IMO. I believe they've said that they don't, but that's from a vague memory and I have no idea if they can or should be considered credible
Conspiracy theory: their front-running bot also scrapes news sites and automatically stops for a few days if it sees a major story about them, specifically to produce this effect.
Its because it used to happen and people are convinced it is still happening usually due to the aftermarkets. Its just not economically feasible anymore.
It is trivially testable. I've tested it myself a few times, against a few different companies, just for fun. I've never seen it happen.
If you imagine ordering all the domains in order of desirability, where the most desirable are long gone, and nobody wants "nsejrx8oesrjasrjb.com" (and even if they want an obfuscated domain, they don't want that obfuscated domain), there is a middle ground where it's not worth pre-registering but if you see an indication of interest it may push you over, especially if you have a cheap back door for registration as registrars do. In that case, the only ones sensible to front-run are the ones in that middle ground. It is possible that I never chose a domain that triggered such an algorithm. That said, as I was aware of this possibility at the time, I did deliberately try to come up with a combination of tasty & tempting words in a new format that looked like maybe someone would really want it, and I never could get the hypothetical algorithms to bite.
Take a crack at it if you're interested; it really isn't that hard or a big investment in time.
They must have some algo that rates domain quality. It happened to me recently, so it's not bullshit. They do front running, but they have some sofisticated scheme behind it.
In the past registers could do domain tasting - register and cancel in 5 days with out payment. I'm not accredited registrar and haven't been in the domain space for a while so this was back in 2010-2012 but it certainly used to be profitable because there was no fee.
> Few times I searched for a domain, the next day I search for it find it already reserved by them and on sale for hundreds of dollars instead of the regular $10 it was the day before.
I can confirm this experience, on 2 occasions when I looked up a very specific (and definitely not common) domain, they were suddenly reserved by GoDaddy and sold for a premium price. Not hundreds, but like 50-150 instead of 12.
I can't prove it, of course, but after hearing about those problems with GoDaddy multiple times it just seems too convenient for them to be a coincidence.
One other explanation (though i am fairly certain godaddy was fronting you), is if they include any third party ping/script etc, and that script/ping gets referrer or the url of the page, someone malicious 3p could also do this...
And the 3rd party would sell it to GoDaddy themselves? They were offering me to buy the domain from themselves, they didn't just say it wasn't available.
> A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today
This is just a sign of GoDaddy's complacency. I use Godaddy for domain registrations only. Yet I had my account taken over with a sim card attack/swap and they spent so long to fix the issue that domains where transfered without locking.
Web Hosting, particularly 'shared' hosting is extremely prone to regular banal attacks and requires extreme constant attention, customers less tech savvy would choose it for the very reason they know the Godaddy name, they're expecting them to look after the tech work.
A Multi-Year breach is an incredible display of incompetence and neglect. I have no idea what the security/monitor team are doing there but someone definitely dropped the ball, especially given the fact they admit that the 2020 break was related. It should have been and open and shut case from there.
When I first set up my company's website it was hosted at GoDaddy. Totally static site. It got 'hacked' one day, with new php files and redirecting users to some nonsense. This was August 2016. The ftp server had a very long, random password. I changed it again after this.
It happened *again* March 2017, though different files were added. After this I moved my site to Digital Ocean.
I never found out how this happened.
Does anyone know how long this has been going on? The article didn't give a definitive start date.
One of my relatives had a similar thing happen a few years ago, though not at GoDaddy.
In this particular case, they had "shared hosting" and it turned out the permissions on their particular directory were somehow left writeable by "other". In the *nix filesystem sense.
eg any other customer/user/etc on the server was able to overwrite the files. Which someone had done at some point.
Was easy to fix at the time (eg fix the permissions), but I have no idea if it occurred again over time.
There seem to be three incidents and all after 2020.
But FTP - unless godaddy enforced TLS connections on that - which back in 2016 probably not because it would have been a support burden this could has easily have been password sniffed.
Long long ago, I needed a new website hosted and with no other decision towards the host than I had never tried GoDaddy, I gave it a shot. Within hours, I regretted the decision immensely. In comparison to my previous hosting experiences, it just pissed me off at almost every turn. It was the first time I experienced a company trying to make the interface for non-techy types and made getting to the guts of the tech hidden behind many layers that just frustrated me to no end. I canceled my account and have never looked back.
It is just another one of the examples of a company that advertises that intensely is probably a company I don't really want to be involved.
For me, this company was Network Solutions. Never have I ever dealt with a thing so bizzare. They even uppercased my email address when communicating with me.
I tried it once as well, maybe ten years ago. The annoying thing not yet mentioned is that it tries to upsell you at every step. You quickly realize that steps have been added for additional upsell opportunities.
Then the "elephant shooter" drama happened and I moved to namecheap and didn't look back. Was a breath of fresh air in comparison.
I didn't see a way to delete my gd account, so think it is still there. Hope my data didn't get out again. :doh:
> The annoying thing not yet mentioned is that it tries to upsell you at every step
I turn it into a game. I love the feeling of having cheated their systems and cleverly opting out of all the up-sells. I am forced to use GoDaddy because I have profitable blogs and e-commerce stores which would be a holy war trying to migrate all that to other services. It's do-able, but would be a headache and a half.
The only thing that annoys me from Namecheap is that their API isn't that good. You can't just update a single record, you have to update the entire zone.
Updating the entire zone just to automatically set a verification token (like for Let's Encrypt) is too risky.
It's sad because I used to remember a long LONG time ago they exposed a bunch of things that other registrars required you to email or call support to do. That stuff is still there, but otherwise the whole site just feels slimy.
Law enforcement (to GoDaddy): "well it went on for years from what we can tell. Whoever did this is more sophisticated than a bunch of impulsive teenagers 'joyriding'".
GoDaddy PR (to world): The attackers were sophisticated, the cops said so!
What a disgrace of a platform. I'd understand dropping a c99 on a cPanel back in early 2000s but these days? What are the engineers doing at the company, collecting a paycheck and pretending to do work?
Speaks volumes for the culture being cultivated at GoDaddy.
I agree that this is bad but I'd encourage you to rethink your comment. The "clown engineers" you are calling out maintain a level of uptime and scale thats hard to for most people to imagine. You don't do that by being an idiot.
Instead of calling them names and assuming bad intent, maybe take a second to think about how much it must suck for them right now. I'm sure it's all hands on deck nights/weekends to fix. No one sets out to do a bad job in my experience.
You're right. I have removed the "clown" part, because after submitting my comment it left an itch in me, too. I think I have seen too much bad press about GoDaddy that "simple" things like this just bring out the worst in me. Thanks for pointing that out.
Godaddy has the most user-hostile platform of any domain registration company I've ever encountered in the 25+ years I've been registering domains. It's utter garbage in every way.
There isn't enough info for how the compromise happened and it may not be related to cpanel at all. What I find interesting is in 2017 godaddy bought Sucuri which monitors and cleans up malware, not sure if they still own it - but combining securi and shared hosting makes the most sense. Most of these cpanel hosts (excluding godaddy) are using products like CloudLinux+Imunify360 to better secure sites, clean up malware automatically. Godaddy is already outsourcing their cpanel control panel, it would only make sense to do what others in their space are doing and automatically be adding security products to theirs sites. Like - a c99 shell - would never make it on an imunify360 server it would be immediately detected and disabled.
I feel like a lot of these older platforms are being shown to be as rickety as they actually are, as malware and hacking toolkits improve and proliferate. Bad practices are going to show through, bigtime with this next cold war the US is entering.
i would not be surprised if their back end is still a bunch of old skool perl scripts in the cgi folder that were l33t coded back in the day, but nobody now can even start to parse the perl itself.
switching from impossible to read perl scripts to flavor-of-the-day language would be a use case i can actually get behind and support for replacing.
Well cpanel is written in perl, and certainly hard to read but overall I would say cpanel is probably one of the more secure control panels. This hacking, sounds like the systems were root compromised and unlikely to be related to cpanel. I would guess it is more likely credential compromise, perhaps phishing related on staff themselves.
Wow, multi-year is truly embarrassing. Hosts being compromised is the the worst case scenario because the attacker can decide who to serve the malware to in a spearphishing fashion.
It happens to more companies than you'd imagine, even big ones. Security monitoring and logging is hard to get right, especially if you try to add it to a previously insecure system.
A smart attacker can hack your company unnoticed and passively watch your company for the right moment to strike. I doubt that the hackers logged into the office VPN every day.
I hate blaming the victim, but so much bad press had come out against GoDaddy it's like complaining that the bear hurt you when you went into it's den and disturbed it.
I am not surprised at all. Maybe 7 years ago I got called in to clean up a website "hack" where the site had a bunch of malicious JS on it. Site was hosted on GoDaddy.
Pulled the site down locally and started the regular process of find/remove, but nothing was showing up. Hosting the site locally, the JS wasn't being put on the page. Checked all the server files for stuff like php.ini, user.ini, etc etc. Nothing was showing up.
Created a plain info.php file on the account. That had the JS injected into it.
Started searching for other sites with the same JS, found a bunch, dozens. Started a search for "neighbor" sites to the one I was investigating, ones that most likely were on the same server. They ALL had the JS injected. Server was owned.
I alerted the client and sent a note into GoDaddy, like you need to check this out. Got a response that it was impossible for the server to be compromised and I should buy their Sitelock service for security. Instead we requested a migration to another server and that cleared up the issue.
For DNS, I have been using Gandi (1) for the last yen years or so and have been very happy with them. I originally went with them because they were one of the few registrars that did the .cat TLD. I liked the experience and eventually transferred all of my domains to them.
They are a french company. Their slogan is "No Bullshit," (2) and I think they've done a decent job of living up to that.
My only frustration has been a situation where I was transferring an existing domain over to them. I wanted to create the zone file ahead of time so that when the transfer happened, there would be an identical zone file ready to go. But they wouldn't allow me to create a zone file for a domain that hadn't transferred over to them yet. Since I'm not doing anything critical with my domains, it was just an annoyance, but that would be a show-stopper for some.
As it pertains to billing problems, they allow you to pre-pay a chunk of money to your account. (They take PayPal.) It deducts from that amount when domains renew. That provides a buffer if you need to cancel your credit card.
Also, on the occasions that I have created trouble tickets, they have been responded to in a reasonable amount of time with helpful information.
For web hosting, I used Bluehost for many years and because extremely dissatisfied with them. I switched to Siteground.com about five years ago and have very little to complain about.
I second your Gandi recommendation! Everything is straightforward. Never had any problems with their service or support.
When you buy a domain from them they also include a pair of web/smtp/pop/imap mailboxes you can use, with the ability to create aliases, including wildcard aliases. So I don't need to pay separately for fastmail or some other email service.
I can also strongly recommend Gandi. Used them to manage 40+ domains for my old company. Professional and good coverage of the TLDs.
Nice is also that you can buy credits - that way I could renew a bunch of domains that expired at different times and filing only invoice to bookkeeping.
There are many others I can vouch for. There's a good list of them here[0]. Make sure to choose ones that have proper 2FA as it's a good heuristic for how well they consider security.
OVH is always an exercise in broken UI including terms of service that seem to be copied from a pdf and have random artifacts. It's probably the worst buying experience I've had since the naughties and nothing changed in the years I'm with them now.
...but they're cheaper than other registrars known for being cheap, and I've monitored their nameservers (and a few others') for nearly a year before switching away from my previous registrar and they were consistently fast whereas others had spikes, outages, or constantly round robined across oceans or some such.
Quality servers at very low prices makes me put up with some broken UI for a few minutes per renewal.
I must be making a huge mistake somewhere, but my registrar is AWS. It's no nonsense.
I'm sure recommending AWS for hosting is not what you're looking for, but I've been running a static website on S3 fronted by their CDN and it's been nothing but painless.
I’m not using any of the really expensive parts of AWS. S3, Cloudfront, Route 53. I’ve seen cheaper elsewhere for all of these for sure, but nothing catastrophic compared to the crazy cuckoo cloud stuff.
Godaddy. One of the most horrible companies. Always was. Bob Parsons is a sad individual with many lovely quotes attesting to that fact. Hope this ends them.
Are you saying that other hosting companies in the same level of complexity are just better, or possibly alluding that other companies might not be upfront about things occurring within their orgs? Either way, it really sounds a lot like you're minimizing the negligence and just poorly run company.
