The concept of WHOIS has felt sleazy for many years.
If I register a domain, the registrar will basically extort me a couple extra dollars per year for “domain privacy” for the privilege of not having my name, home address, phone number, and email publicly available and then mirrored across thousands of shady scraped content sites in perpetuity. Even If you don’t care about that, then begins the never ending emails texts and calls begin from sleazy outfits who want to sell you related domains, do SEO for you, revamp your site, schedule a call, or just fill your spam box up with legitimate scams and bootleg pharma trash.
All because you wanted a $10/year dot com without paying the bribe.
And yes I grew up leafing through well worn phone books next to corded phones. This is not comparable.
To be fair, OP never said this was necessarily related directly to the article.
I’ll often post loosely related tangents like this because I would enjoy discussing the tangent with the HN crowd, but there’s often not a better opportunity to discuss it, so why not while we’re sort of on the topic anyway.
Ack that I don’t think it makes sense to discuss not even remotely related topics. But as long as it’s in the ballpark and it’s not going against other guidelines and leads to interesting discussion, I think it’s fine.
Indeed. Furthermore, the fact that there is still a replacement makes the discussion even more pertinent in this case, since OP is arguing for the abolition of any such protocol.
That was a common racket a long time ago, but pretty much every widely recommended registrar offers free whois privacy now. At least when they're allowed to, some TLDs forbid obfuscating the whois information.
a little less than a year ago, my wife registered a .us domain that she ended up not using at all. she still gets phone calls nearly daily from people trying to sell her web design/dev work
I have two .in domains with namecheap and whois data is all "REDACTED FOR PRIVACY" despite namecheap not allowing me to add domain privacy when I purchased the domains.
I’ve looked into it a bit more, and turns out there are two options for redacting WHOIS data:
- “Privacy service”, which is these funky named LLCs replacing your data in the WHOIS
- Just the redaction, which replaces almost all data with REDACTED FOR PRIVACY (except for registrant's country, state, and organization name).
No idea why or how any of this works! Apparently, Porkbun does both: on my another domain, aedge.dev, it shows REDACTED FOR PRIVACY and replaces org name with “Private by Design, LLC”. For notpushk.in, it does show my country (RU... looks like I haven’t updated my address in a while lol) but everything else is redacted, too.
Spaceship on the other hand doesn’t bother and returns only this tiny response:
Domain Name: lunni.dev
Registry Domain ID: 4AF9AE073-DEV
Registrar WHOIS Server: whois.nic.google
Registrar URL: None
Updated Date: 2025-03-10T13:01:35Z
Creation Date: 2022-12-11T02:30:54Z
Registry Expiry Date: 2025-12-11T02:30:54Z
Registrar: Spaceship, Inc.
Registrar IANA ID: 3862
Registrar Abuse Contact Email: abuse@spaceship.com
Registrar Abuse Contact Phone: +1.6027723958
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: coco.bunny.net
Name Server: kiki.bunny.net
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2025-03-17T17:11:09Z <<<
Edit: or, rather, that’s what whois.nic.google returns for a domain registered in Spaceship.
According to German law every website who is owned and operated by a person or entity in Germany needs an imprint with full name, address, email address and phone number… (of the owner 2 owning entity)…
a) This is only for commercial websites although what counts as commercial is vague and probably not something you want to argue in court so it's safer to just add it unless you are absolutely sure.
b) You need a valid postal address where you can receive mail but this doesn't have to be your home address. A PO box is fine.
c) You don't need to have a phone number in your Imprint.
The base requirement of commercial operations having to have valid contact information (that can be used for legal communication) is pretty sensible. The details could be a bit friendlier towards individuals running purely personal sites.
So this in practice is a massive push to centralization: if you have a Facebook page or Instagram account, you don't need to risk that level of privacy compromise.
At the same time, expecting that your NAP info isn't already in the hands of anyone who wants it makes no sense in this day and age.
Between the countless DB leaks and numerous infostealer campaigns, and considering that anyone who has you in their contacts list is extending the exposed surface area, it's untenable. Other events like marriage and home ownership further complicate any attempt to keep your name and address private.
Not saying you shouldn't opt for domain privacy, just giving a reality check. To really enforce your privacy you have to have multiple phone lines and a shell company, at the least. And really, even that isn't enough unless you can also commit to being a hermit.
There is a tangible difference between some people having this data somewhere out there, and literally anyone who wants to have it being able to look it up in a few seconds using tools already installed on almost every computer anywhere.
The ability to look up the correct contact details for a commercial enterprise on that enterprise's website is a good thing imo. It is (or was) part of the EU requirements for commercial websites (anything selling, giving purchase advice, advertising, ...).
It's a useful filter, a seller without identifiable people and location is a big red flag.
Exactly. All their info was scraped long ago. Whois and abuse info, it all needed to be depreciated a few decades ago. But, pity the poor fool who actually contacts me. I treat them like regular scammers. Get all the info, and then tell them to pound dirt.
Except for the guy who tried to sell me annuity liquidation. Yes, if the person gets unalived earlier than expected, you win.
In related news, I saw someone buy $150 worth of lottery tickets, as I was on the way to a large hospital to visit a sick friend. The lottery guy I am sure lost, and the hospital guy (profit-care) won, while the ward was understaffed( a profit-center). And 7 out of 8 fare collection machines were out of order ( deferred maintenance as a profit-center). I get the distinct feeling that corporate America, just does not even care in the slightest.
For the organization that managed the WhoIs? The horse left the barn so long ago, it's great great great grand-children are old and gone. Long gone.
Laws are crazy. The CAN SPAM act requires you to publish a physical mailing address in the email you send. It was an anachronism even when it was originally passed -- who wants to unsubscribe to email via physical mail? And yet it's still there, for no reason.
you just have to have enough money to have some legal entity register on your behalf and that legal entity then has their system spammed, but they have their phone public anyhow...
the idea is to have individuals accountable while not annoying owners.
in that sense it makes _perfect_ sense and works as intended.
a proper solution ingredient would be trustworthy and affordable pseudonymity, and that can be lifted by court orders only. but then who guarantees the independence of courts? and the fairness of laws?
I don't understand why people aren't using fake addresses for registering domains. I've had a few registered to 1001 Main St in my local town and a made up phone number for over 10 years now with no issue. Main Street will never be over 40 addresses for the foreseeable future and I can just update the record if need be.
So .us is more trustworthy than .com. Good to know.
Im one of those that think that developers are hiding too much, which makes things like vs code extension viruses rampant.
I wont force you to not be anonymous, but if you are going to run your software on my device I want some accountability. Our salaries should also reflect that.
So far I haven't encountered a single actual virus, and if you're referring to the recent Material Theme debacle, there was never any malicious code involved, only third party libraries with obfuscation.
> So .us is more trustworthy than .com. Good to know.
Be careful about concluding things like that.
The TLD has a requirement that you publish your info. That doesn't mean they have any way of verifying it. If someone could prove that the info was false then they might lose the domain, but they also lose the domain if someone can prove that they're operating a scam. So the scammers just make up fake info and all the requirement is doing is impacting the privacy of honest people who want a .us domain.
I think I understand your point, but your wording leaves some ambiguity. If I am running my software on your device you must be a cloud provider. In that case, the accountability you are looking for is probably not provided in the same way it would be if you were running my software on your device.
Either way, your aversion to anonymity of developers is interesting. It's a discussion for a different thread, but I think an important one.
It would be nice to find such a thread. This is a pet peeve of mine.
It’s one thing if you have a PO Box, and it’s consistently used in your various documents and registrations. I get wanting a firewall to direct availability.
But if I can barely find evidence you exist other than your software, or if you operate a fairly large scale service and you haven’t filed a yearly required corporate report (a specific example I recently came across), then those are red flags to me. Not immediate showstoppers necessarily, but if you’re trying to get me to make a purchase, I probably won’t.
It’s fine if you have domain privacy turned on, but you’re selling me software or services you have got to offer some kind of evidence that you have some kind of business nexus someplace. In a business context, I’ve got to know that for avoiding sanctions violations at the least.
A lot of effort has been spent studying trust. I'm not clear how a PO Box creates trust.
How do you trust that food from McDonalds is safe? How do you trust that Samsung hasn't empowered parties to control the mic on your phone? How do you trust Wells Fargo to hold your deposits? How do you trust the kennel to walk your dog?
Trust is really really hard. So a lot of people choose to adopt a zero trust philosophy.
Except they still eat at McDonalds and buy Samsung and bank at Wells Fargo. But they drop their dog off with Aunt Lawana now, instead of the commercial kennel.
Do you remember when Sony installed rootkits? Do you remember when Windows got compromised every 5th day for two years straight? Do you remember when HP broke every HP printer with a firmware update? Do you remember when the whole world got put on pause because an "anti" malware software pushed a flawed update? Do you remember when a certain credit-rating bureau got breached and exposed the PII of, well, everybody?
Do you remember that every one of these companies went on to post record profits?
Dear User,Our system has identified an unpaid toll charge linked to your vehicle. To avoid additional fees or service disruptions, please settle this matter within 12 hours.
Best of luck trying to get an unknown Chinese registrar to stop their spam. My carrier does not even have a clue. My routers now block anything *.Xin. Anything and everything.
> The concept of WHOIS has felt sleazy for many years.
More recently, yes. But the original (perhaps naive) goal was to keep domain owners accountable for whatever they were serving from hosts under their domains. That seems reasonable, at least on a more "polite" internet, where things weren't scraped and monetized and SEO'd into garbage.
The general purpose of publicly accessible registrant data is that people should be able to contact the owner of the domain in case of an issue, rather than the registry or registrar. "domain privacy" is simply the registrar putting themselves as the domain contact and becoming a forwarding service to you.
For large companies, and registrants under those ccTLD's that require local presence, it not uncommon that a legal firm acts like a proxy for the domain owner. This is a service that they take a few dollars for, and is in many ways similar to domain privacy.
The requirement of having the registrant as the contact person for a domain is something that (to my knowledge) comes from ICANN, and I think it has a positive effect. A domain should be owned and controlled by the registrant and not the registrar, which is then reflected in the contact information. In an alternate history we could see that the registrar (or even registry) owned the domain and only leased it to the registrant, in which case the registrant's power would be limited to other online services that people "buy" today.
Web hosts competing based on who had the prettiest cPanel theme. The number of email accounts were allowed was something that mattered. If you were lucky enough to get SSH access, it was jailed and only really allowed you to move files around easier or edit something with vim/nano.
Oh, I have unintentionally become a GoDaddy customer (a company I have spent ample time hating and shitting on over the years) because I was a legacy Media Temple customer going back to like 2006 and I still just can't be bothered to clear out everything on those sites/domains and they eventually got acquired
Let's encrypt has done great work with certs for free. But they do still cost money. Insane for how long unencrypted traffic was the default. But i could not have done anything, if browsers had soft-enforced https earlier. I simply could not have paid that money.
I still can't get my head around why a .com costs $9.59 (plus registrar margin)
There are 160 million registered .com domain names.
I understand that operating root servers isn't free, but surely they don't cost $1.5 billion per year! Wikipedia's hosting costs are $3 million per year, for comparison.
Only $0.18 goes to ICANN, the non-profit. The rest goes to the Verisign which is a publicly traded for-profit company which ultimately gets that $9.59. I bring this up because it of course _doesn't_ cost that much. Incidentally, Verisign posted $1.56 billion in revenue last year and spent about $1.21 billion on stock buybacks in the same time.
Because that doesn’t solve the problem. The demand doesn’t go away if you charge less – if you charge $1/yr for .COMs, they will all be permanently squatted. (Well, like now, but worse!)
We could use anti-scalping techniques, but that’s non-trivial to implement. Perhaps some name squatting policy? No idea how to enforce it though, especially without money.
Yeah, that’s a good point. Then again, you can also that for any other gTLD (why should Google get the proceeds from .dev?), and that would be a valid question.
I think the current system is inherently flawed... but it kinda works, and nobody wants to figure out the politics of fixing it – so I guess we’re stuck with it for a while.
Because it's a natural monopoly. Nobody ever got taken seriously with a .biz address.
(.com is basically price-regulated because of this, FWIW, Verisign can't just raise prices whenever or however it wants. But obviously it's still a pretty sweet deal for them, I'd imagine.)
Hell, even .net will lose you traffic. If someone has your desired name with .com so that you use any other TLD, you will lose traffic. If your .com is taken by someone in the same line of work and not just a coincidental use of the same domain, then you'd be insane to not change the domain. I'm not sure how many people manually type domains in any more (I do though), and .com is muscle memory.
If a system is built in a way that creates a monopoly I'm not sure it's legitimate to refer to it as "natural". The characteristic that defines natural monopolies is that there's no realistic (at least known) alternative way to go about things which isn't also a monopoly.
Of those 160 million, what percentage of them are on the 1-year renewal plans, and how many of them are on multi-year plans. I'm guessing the vast majority are yearly. It would be interesting how many of them never get re-registered after the first year
I agree that it's ridiculous, but absent some sort of regulation, things are not priced based on how much they cost the provider, but based on how much people are willing to pay. Even if they're unhappy about it.
The thing is there are supposed to be regulations. .com is not privately owned but a public good that is supposed to be regulated by ICANN with the interests of the public in mind.
Just in case: you can get a .com for less than that nowadays, sometimes $3 for the first year (then transfer it back and forth for $5–7). Here are some price comparisons: https://tldes.com/com, https://tld-list.com/tld/com
I assume some registrars sell these at a loss and expect to offset that by selling you WordPress Supreme Ultra Enterprise hosting for... $40/yr? No idea how this works.
They always list it in the line items and in the renewal but whatever. In fact, it looks like I forgot to turn on auto-renew on their domain privacy product so it's sitting there in the 'grace' period. They work as a registrar so I use it.
I was going to buy a domain back in my student days, but I stopped when I realised I didn't have a phone number. I used the public phone-box on the corner whenever I needed to actually call anyone. It was a little annoying to have to register a phone number when I didn't actually want anyone to call me.
> The concept of WHOIS has felt sleazy for many years.
The concept of most internet things has felt sleazy for many years. Right around the time that businesses started monetizing the internet is when that feeling really kicked off tbqh
GDPR is what changed this. Before that, registrars had little incentive to hide it for free when they could instead charge you for the service. It was not trivial that Google Domains (rip) came with free privacy proxy right from the beginning.
It not so much that registrars had little incentives, but rather that GDPR defined the concept of legitimate interest as the definition for when registries should give out public information about domain ownership. That allows the contact information to still point to the correct domain owner without going through a proxy, while still creating a small hoop for parties interested to extract ownership information from the registry.
One can see this in practice in that company registration information is usually still available (through often behind a captcha), while personal information of private registrations require additional steps to demonstrate a legitimate interest. All this is also generally occurring at the registry level, rather than at the registrar.
It should be mentioned that privacy proxy is very similar to a straw man registration. If the registered owner is the proxy, then you are trusting that the proxy will honor the contract that is linking you with the property.
So I've walked past Lennart Poettering's house before without knowing it. (And that is not the sort of area where I'd have guessed he would live.)
If I were some kind of crazy maniac, I could pay him a visit and shut down systemd for good. You see why having this information out there is dangerous?
> the registrar will basically extort me a couple extra dollars per year for “domain privacy” for the privilege of not having my name, home address, phone number, and email publicly available
Note that it is being replaced with a different protocol, is there any indication that there are less stringent requirements on identity data disclosure on the new proto?
It's the same data. What's different is essentially the transport layer for the information.
> Two protocols that have the same data would be quite redundant.
When one is plaintext, underspecified, and decades old, they're not. I don't think you realize how primitive WHOIS is; this is the entirety of its RFC: https://datatracker.ietf.org/doc/html/rfc3912 Note how it doesn't go any farther than "it's a plain text blob retrieved over TCP". Now contrast with the RDAP RFCs, which fully specify every aspect of how an RDAP service works:
Integrating with WHOIS is a nightmare, as every registrar/registry does it differently since there's no common specification other than "connect over TCP". RDAP is fully specified, so you can simply use a language-specific library and then inspect a strongly typed response object returned by said library to get specific information out of the response. It's a night-and-day difference, and there's obviously a reason for the new spec to exist even though it conveys the same data. It's absolutely not redundant.
For .pl TLD, due to GDPR, domain data is hidden by default for private individuals (as opposed to companies), yet some registrars still try to upsell the "domain privacy", hoping you don't know about it.
If I register a domain, the registrar will basically extort me a couple extra dollars per year for “domain privacy” for the privilege of not having my name, home address, phone number, and email publicly available and then mirrored across thousands of shady scraped content sites in perpetuity. Even If you don’t care about that, then begins the never ending emails texts and calls begin from sleazy outfits who want to sell you related domains, do SEO for you, revamp your site, schedule a call, or just fill your spam box up with legitimate scams and bootleg pharma trash.
All because you wanted a $10/year dot com without paying the bribe.
And yes I grew up leafing through well worn phone books next to corded phones. This is not comparable.