[weekay]

This is very common in retail. What tends to happen is that a retail buyer would work with a supplier and order a product in . That product packaging will have a promotional or information site it will link to & is printed as a QR code. From a buyers perspective they are doing this as it’s a way to provide value or information to their customer and supplier fronts the cost of this. The IT teams within retail aren’t kept in the loop and neither are they aware of a site that is hosting any of this content. All the content and marketing of this is done by a agency who are hired and managed by the category or merchandising teams in the head office . Product sells for a quarter or maybe 6 months at the most . Products get rotated and goes back to warehouse until such time in a year they need to liquidate the stock and do promotional discount pricing as part of back to school or Black Friday etc., By then the agency that fronted this and created the site has lost its domain or the site isn’t maintained/ gets compromised etc., At that point the product is on the shelf , domain is hijacked or the hosting provider / host gets taken over by a malicious actor. Then the IT / security teams in the retail organisation are asked to step in and support their business colleagues. Every major retail corporation will have this happen to them at least once a year. IT teams will have a laugh about this and nothing ever changes as a process as it doesn’t really affect the share value or damage the reputation of the retailer as such

[hedora]

Always remember to convert a QR code back to text before printing / distributing it.

There are some shady QR code generation sites on the Internet that produce codes that work for a week or so, but go to some unexpected third-party domain that redirects to your site. Later, you find out that you have to pay them a subscription fee if you want the QR code to keep working.

[tetha]

This is why I've grown even more careful about introducing new domains in production.

If I keep everything in one or a small amount of production domains, even if a product is shut down, a project ends, and everyone has long forgotten about it - it's still hitting my load balancers and I can deal with it. Cheaply, too. Some 404 pages delivered by a loadbalancer probably cost cents or less per month. I can also make it a cute branded image based on a few conditions as well if you give me that.

And some POs are arguing how this is controlling and how this might be constricting freedom and such. And, yes it is. But on the other hand, we won't have porn hosted on something the company once promoted. Unless the company wants to rebrand as such.

[SoftTalker]

Yeah registering a domain is sort of a permanent act. If you ever let it expire, someone else can take it over and start receiving all emails, http requests, and anything else directed at services you used to run there. And possibly responding to them. They'll easily get certificates to verify the domain, since all that's needed to do that is control of the domain.

[Iulioh]

"a domain is forever" is kind of a scary thing

[bombcar]

DNS was designed to delegate subdomains, and we should do it.

But easier for every team to grab a new domain.

[Too]

From a customer point of view this is also a lot more trustworthy. Hypothetical example. If i visit annualpromotion2023.pepsi.com. I know for sure Pepsi owns the domain and would be more comfortable putting in personal information there, compared to pepsiannualpromotion.com, that is a lot more likely to be a scam.

[b3lvedere]

One of my customers found out someone copied their website almost to perfection under a different domain name and started advertising their products for way less prices. They wanted the website gone of course. So now i had to explain our company doesn't have any jurisdiction on some website hosted on the other side of this planet.

[dazc]

I have recently received a subpoena from 'the other side of the world' regarding a domain I registered recently.

It seems the domain in question was one of many involved in IP infringement against a global fashion brand long before I came along. A simple check of registrar data would confirm I have f all to do with this.

Either some big law firm knows different from you or are just scamming their client? Surely this can not be the case?

[dmurray]

I don't think much of the technical or moral chops of big law firms involved in the intellectual property game, but this seems reasonable to me.

The site was being used to do some bad thing to their clients, they're justified in assuming the current owner might know something about it. Changing registrars and WHOIS info is exactly the kind of thing a shady site might do to throw off investigation. If you're fortunate, you'll at least get your reply read by someone who can understand the plain English of "it wasn't me, I bought the site since then" and doing a bit of research to cross check that.

[NikkiA]

What this needs is a mitm service that gives shortened/custom urls like https://prom.os/paw_patrol_biscuits that redirect to the vendor's site, and when the promo/limited-run is over the url can be 'turned off' in a control panel and then default back to a 'This promotion has ended, but visit <vendors general site>' for more information on products' or such.

I guess it'd be hard to get companies to use such a service, except for situations that cause product issues like this one we're seeing.

[kevincox]

A lot of online QR code generators provide this service (often by default without making it clear that they are injecting their URL). It can definitely be useful to "change the URL" after deploying the code, but you still have the same problem that you don't control the domain. If you stop making payments or the company goes out of business then you are out of luck.

IDK if any of these services support custom domains. So that you could have qr.mycompany.example or whatever. That way if something goes wrong with the service you can at least direct it to something else.

But I think in general you should control your URLs. Especially for printed material. Often this would be something like a short URL or some other small name that can be directed to the intended final site and changed at any point.

[jahewson]

In other words, the biscuits need more shortening.