the argument for .ml domain has always been absurd to begin with. So it’s free but the price you pay is that it’s being run by Mali. I’d just drop 8$/year tbh, that’s not a hill you want to die for. Also you harm your project by being SEO punished for using spam-associated TLDs like this. One of the reasons original Lemmy took so long to adopt until Reddit’s API drama. Pretty dumb ngl.
If i remember right it was also “free to register but insanely expensive to renew once they start to see traffic”
Renewal costs are my primary consideration when picking domains. Subscription fees is how your money disappears when you’re not looking.
Anyone know how companies get the rights to domains to sell in the first place? Do they literally submit a list of all domains to ICANN or something? Sorry if this is a stupid question, I just never understood how any of this really works.
This brings a disturbing thought to mind… if an instance domain name like foo.bar lapses and someone else snaps the domain up (or of it gets stolen) can the new controller plop Lemmy on a server and be instantly federated? If so what kind of damage could they do?
That’s an assumption that lemmy will quit federating with a server that does not match.
And what signature are we talking about anyway? Is not certificates…
This is why you don’t let your domain registration lapse. It’s not the only way computers on the internet verify each other’s identity, but a hell of a lot of internet security features are based around domain names, so keeping yours functioning is a very big deal.
Domain registration ≠ internet security. Root of trust is in cryptographic keys, not domains. DNS is not the security cornerstone you make it out to be. PKI says hi!
Consider how many system relies on being able to send you an email for verifying your login and performing password reset. Those who have control over your email address domain can trigger password reset for most of online services out there. Imagine if Google forgot to renew gmail.com and it falls to a wrong hands.
Yes, but it is very quick and cheap to get a domain validated cert from a CA that is generally trusted by most web browsers, so once the bad actor has the domain, the should be able to trick most users, only maybe certificate pinning might help, but that is not widely used.
Email is tied to domains. TLS is tied to domains. CORS is tied to domains. OAuth is tied to domains. Those are just four things I can think of while half asleep. Here’s one recent example of how screwing up a domain name is enough by itself to cause a security breach.
Cryptography is not security any more than domain names are; both are facets of how security is implemented but there’s no one system that makes the Internet secure.
ICANN has an Expired Registration Recovery Policy (ERRP) that requires your registrar to give your domain a 30-day grace period before deleting the records. ERRP also requires them to shutdown your DNS resolutions 8 days before deletion.
You’d have to be really mismanaging your domain if you miss all the required email reminders and don’t notice your domain has been non functional for a couple of days.
Using .ml was stupid in the first place. No need to try to be a special snowflake by using a sketchy TLD.
It’s one of the 5 TLD (now 4 I guess) that are free. The others being .tk, .ga, .cf and .gq
We need free TLDs.
I wonder if it was done on purpose after it came out that the Pentagon had typo’d “.ml” instead of ‘.mil’ and exposed a lot of sensitive emails…
Highly doubtful much of anything majorly sensitive got leaked. Firstly even unclassified DoD emails are encrypted by default. Secondly anything classified isn’t even on a network that can talk to normal email, it’s either 100% point to point encrypted or on an airgapped network. If I hopped on SIPR (DoD Secret-level internet) and emailed a normal email address it simply wouldn’t work.
Ehhhhh, you’re missing the human element. Humans do dumb shit all the time. You can’t stop someone from reading something with their eyeballs, remembering it in their meat brain, and using their sausage fingers to type it back into something unsecured. Odds are still low of course, but I wouldn’t be so confident.
Out of curiosity, other than fmhy.ml, lemmy.ml, and lemmygrad.ml, what other Lemmy instances were using .ml domains? Also, how are the latter two still running but fmhy.ml isn’t?
edit: This has triggered a chain of comments I wasn’t expecting. I’d appreciate it if someone can answer on a technical level. Is the latter two using a different registrar or name server which is why it still works for them?
AFAIK, lemmy.ml and lemmygrad.ml use it because the ml can also stand for “Marxist-Leninist”, and the two primary maintainers of Lemmy are Marxist-Leninists . Not sure about the others though.
It can also definitely stand for Machine Learning which is the first thing that comes to my mind
That’s not true at all. ML was used as an idiological choice as it’s the only free TLD you can get and you should not have to pay for a domain name as per Lemmy’s creators ideology.
I’m going to have to make a copy paste for this:
.ml stands for Mali.
.ee stands for Estonia.
.tv stands for Tuvalu
Just like .ca stands for Canada.
I think it’s because ML is a popular shorthand for ‘Marxist-Leninist’ since they mostly seem to be communist servers
.ml stands for Mali.
.ee stands for Estonia.
.tv stands for Tuvalu
Just like .ca stands for Canada.
I know a ton about DNS and its technical functionality, not necessarily the regulations guiding registrars, but the technician in me says your TTL (how long other servers wait until asking where xyz.ml points to) hasn’t expired, maybe? Perhaps the government administration process simply hasn’t executed any action against those particular registrars yet?
I never liked TLDs that are from random islands or less than stable countries and there are so many great TLDs available now, I simply don’t see the reason to use such obscure TLDs just for the marketing factor.
Yeah, not a good situation.
The main story I found seems to indicate that many government communications have been misdirected due to the typo of .ml instead of the intended .mil - reserved for the US military. 🤦♂️ There has been an entrepreneur that holds the contract to manage Mali’s country domain and that’s expiring Monday (24th?). I’m assuming the government is not renewing the contract and will instead be taking over the domains and any related data. He has been collecting some of that data and warning the US government about the issue to no avail…for 10 years.
Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comment.
Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.
ICANN is the body responsible for the gTLD initiative, which gives you names like .social and .world. They are an American non-profit with a multinational committee, handling nearly all of the databases that store our Internet address records, etc., you can be relatively assured that your domain won’t be messed with.
The instances really have no option here than to test out moving their systems to an alternative domain and “bench test” their migration to discover a path that works or a least come to the conclusion to start all over.
I never liked TLDs that are from random islands
I remember reading somewhere that Tuvalu gets like 10% of their entire yearly income from Twitch.
I now pronounce Twitch as Twitch dot Tuvalu, but I get weird "huh?"s when I say it like that.
You can see all but posts and comments won’t be on their server until back online that are a few it went down. So I can visit my communities like https://lemmy.fmhy.ml/c/artwork that I mod. I can see it but nothing will happen until it comes back online. That’s what understand at least.
Man, hacking, DDOS and now this. The fediverse just can’t catch a break…
Resiliency is the strongpoint.
If Reddit shuts down, all of Reddit dies.
Same with Facebook, YouTube, etc. is that highly unlikely? Well, yeah, but still nonzero. The fediverse offers resiliency in this regard, and no one person has the ability to shut it down. Even if all instances decide to shut down, new instances can still be spun up.
If the communities you like to read and post to are down, then Fediverse is effectively down for you. Thus it doesn’t offer any additional resilience, it’s not a P2P system.
Stuff like technology has multiple big communities, I can go to the one on .ml .world or beehaw and still get a lot of content
Just because anti-lock brakes fail to work in all scenarios doesn’t mean they’re not still an improvement.
Lemmy is still up for most people. That is resilience. If you are affected by this outage, then it failed for you in this particular case but that doesn’t mean the mechanisms don’t exist and that they won’t work to your advantage in the future.
Would help if users spread out over all the running servers because problem is just a few lemmy servers have all the users. For example the instance I run would be a simple proxy to use for all the content and then would mitigate issues when a big server had problems since just parts of the fediverse would be affected from the users pov.
I feel like communities are the bigger problem here. And not one that’s easily solved.
If users from multiple instances come together in communities, those communities are still centralized on a single server. So if something happens to that server, or if your instance defederates with it, the whole community goes with it.
The alternative would be to have tons of duplicate communities spread over many instances, but that’s a bad user experience.
I think it can continue even without the source server? Like, once I press the Reply button on this comment, it gets saved to my instance (lemmings.world) then it lets all the other instances know, including lemmy.world (where the community is hosted) and slrpnk.net where you are registered.
Now let’s say lemmy.world stops existing, my instance still would let all the other instances it federates with know, meaning you could read my reply on a community that basically no longer exists. Though I’m pretty sure there are downsides to that (like, what if all the mods were from lemmy.world? There’s no admin who can add a new mod).
At least that’s what I think it works like.
I wonder about this as well – because communities are tied to a specific home instance, that instance going down affects that community, potentially killing it. Something more akin to hashtags/tags/labels wouldn’t be tied to an instance so they would be more robust, though you’d lose the moderation of a community and just have a firehose of posts/comments…
Wow, you’re right. We really need to bring back something like USENET, where newsgroups (their “communities”) weren’t tied to a specific server. We could almost just resurrect NNTP, although the handling of images (and binary data more generally) probably needs some tweaking.
Jesum Crow… Tags aren’t a new concept. Just group communities with a tag… is that incredibly complicated to implement or something?
It doesn’t have to be a bad ue though. The concept of multi-communities would make it easier to see communities based on topic.
And having a search automation that find like communities, even if just the same community name on different instances would really go a long way.
At this stage in the game, I’m not even sure how to evaluate the trustworthiness of instances. Which also applies to the one I’m currently on. I’d like to assume everything is good, but admins do have power that can be abused, like visibility of IP addresses, access to accounts, access to passwords (reusing passwords is bad but especially don’t do it here and certainly don’t use the same password for your email associated with your account).
Facebook abused those powers (zuck even bragged about being able to see everyone’s passwords, emails, private messages, pictures), so did Reddit (though more with shadow banning or quietly removing/restoring posts).
Fediverse instances are just run by random people as far as I can tell. I’m sure there’s some that should absolutely be avoided and I’m sure that there’s some that are perfectly fine. But I don’t have a clue how to determine which list about specific instance is in, otherwise I’d love to join someone’s small instance.
Edit: oh and that only goes into whether the admin is acting in good faith or intends to be abusive. Then there’s the question of whether the admin is competent enough to run a server without it getting pwnt and giving others access to that same information and capabilities.
the problem is most users fear that if they choose a small instance, that it goes down random more likely and their account and everything else is gone. if you choose a bigger instance it feels less likely that the admin of the instance just says fuck it and kills the server random for whatever reason.
as long accounts can’t be easy transfered and are maybe even safe somehow without their instance, people will choose the instance that feels the most secure to them. and when i looked at the available instances… most looked not really long term secure. most did look like they are random ideas of people and they could vanish any second into the void. so i as an example did choose lemmy.world. seemed the most safe option with the best features (nsfw allowed, a lot of users and a big instance)
On a small instance, you have greater opportunities to take action to positively support that instance. You can make friends with the administrator, volunteer to become an administrator yourself, donate cash to offset running costs, lodge helpful reports, welcome new users, etc…
I understand the logic but its actually backwards. A small instance like mine is easily paid for totally out my own pocket and requires no outside funding or maintenance because I can do everything. If too few people donate to major instances then the costs starts to run away from the owners. In some ways becoming too large is a problem.
My exact same thought process and why I’m here on lemmy.world as well. Once they get the server setup process more streamlined (hopefully dockerized) I’ll probably setup my own private use server, but until I get around to that project I wanted to pick one that didn’t seem like it would vanish once the guy hosting it started getting those hosting bills.
Does that really scale though? The load on a server is not dependent on the number of users, but on the number of communities from other server that the sum of user is subscribing to.
Which means if you have a server for 100 users, you still need to pay for the 1000s giant communities that those users are subscribing to, as they are being copied over in your server.
So if you have a few mega server like Lemmy.world, they each pay say 10000£ in hosting a month (number taken out of my hat), which is fine because they have as many users that can contribute to it financially ( via donations, ads etc.). But small servers won’t be able to support that load and will ultimately close.
That sounds like a design flaw if you ask me but i did not see anyone mentioning it so maybe i’m misunderstanding.
