[NotSammyHagar]

I think the issue is you can register a known company name on one of these and plenty of people will think it's legit. Companies have to register on all these random domain to protect themselves.

dell.shop, that's probably the dell computer I know, right?

[zanderwohl]

The people who would fall for that would probably also fall for `dell.computerdealshop.com` though

[furyofantares]

When a scam hits someone's inbox or text message, it finds them in a particular time in their life, in a particular state of mind, and in a particular context. It's not just about how gullible or uninformed or whatever they are. They may be tired, they may be drunk, they may be spending all their energy worrying about a sick relative, or trying not to.

They may have just been shopping for a computer, maybe even a dell. Or maybe they need a computer for their kid and don't have the means to afford one and are more likely to fall for a scam advertising a good deal on a computer than for any other scam.

These all add to the probability that someone falls for a scam. Phishing is all about casting a wide enough net that the probabilities align against some of the people you hit at the time you hit them.

Victims are not just uninformed. They are also compromised, and/or incentivized to believe this particular scam, and/or unlucky enough that the scam takes place when they were recently engaged in activity that makes the scam more believable.

Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.

[blululu]

Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general. The eye sees dell first in clear letters for both urls. Their sick relative doesn’t change much here. I would honestly not be sure if either is a scam for the url alone. The improbable deal at the other end is the only meaningful signal.

[furyofantares]

> Whether people are more easily fooled by dell.shop dell.computershop.com is a non sequitur from the rather wordy disquisition about why people fall for the scams in general.

It isn't. People fall because probabilities align. Something can catch their eye to knock them out of it.

A bad URL is a bad probability (for the scammer) in the chain, a really good URL is another good probability. If your assessment is that both URLs look equally good/bad to you, I, of course, won't deny that claim about your own experience. But to my eye, dell.computershop.com looks pretty bad and dell.shop looks pretty good.

I only answer my phone if I'm in the middle of getting a loan and so expecting a call from some unknown number at any time, and even then some numbers look too phishy to answer. The last time I got a loan I got a call from a local area code near the bank, answered, and found myself talking to a scammer about a loan. It was confusing, I believed it was the bank at first! Everything needed to align for them to get that far, including the phone number looking legit to my eyes. To someone else's eyes a number halfway across the country may have looked just as legit. Or the nearby number may have looked instantly bogus. This is exactly my point!

[SoftTalker]

Just the fact that you had your credit report pulled for a loan qualification is immediately sold to ad brokers by the credit bureaus, who will sell it on down the line to less and less scrupulous buyers. It's not surprising to me at all that you got a scam call about a loan while you were in the process of legitmately applying for a loan.

I now ask businesses like these "what number will you call me from" and I put that in my phone as a contact, so that my phone will ring. If they call me from any other number I won't see the call.

[echelon]

Most people don't understand URLs.

Remember that Google was (is?) trying to remove the URL bar. Not just because it reinforces search as the main product and gateway to the web, but also because URLs are kind of hard for most people.

Which brings us to the original argument: is this a reason to ban gTLDs? Surely the cost of banning gTLDs outweighs the enormous benefits of making it easy for society's productive users to find names they like.

We also shouldn't discount the incredible benefit of having additional namespaces and markets positioned against domain name squatters. gTLDs linearly increase the costs to squatters. Good names can be found with lots of alternative gTLD offerings, which greatly increases the supply side for builders and entrepreneurs.

Ultimately gTLDs probably won't be banned simply because there's money to be made by the ICANN and registrars.

[furyofantares]

Many people do not understand URLs, many people do, and many people have an understanding in between. And they are all targets for scammers.

And I don't think gTLDs should be banned! But I don't like bad arguments even when they support my preference.

[bryanrasmussen]

dell.shop is more believable than dell.computershop.com because shorter urls seem more believable and valuable.

If you don't agree I have a computershopthatisreallycoolandcheap.com to sell you.

[viraptor]

> Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.

I see this and raise you HP using domains like h30434.www3.hp.com for decades now. They only started to disappear fairly recently. Many companies will do it and people don't really care.

[brabel]

> Seeing dell.computerdealshop.com will snap a lot of people out of it where seeing dell.shop would not have.

Would love to see citations for that.

[tpoacher]

Here's one [0]!

[0] : https://news.ycombinator.com/item?id=42307876

[viraptor]

It's just a claim. There's no support for that actually happening. And no real source.

[slavik81]

It would be nice if browsers surfaced the information about when you last visited a site. In the certificate information panel for Firefox you can find things like, "You visited this site 1067 times before" which is helpful information when evaluating if you're on the site you think you're on.

[0xCMP]

They're different. Companies register all kinds of crazy domains and redirect you through them all the time. Why is it crazy that some marketing person at Dell thought it would be cool to link people to 'dell dot shop'? I would check the certificates, but honestly only as a precaution. If the website looks correct that isn't such an insane thing.

That is exactly why it's so dangerous and effective versus your example.

[thayne]

> I would check the certificates

What good does that do? It is pretty rare for companies to get an EV or OV certificate, since it is more expensive and more hassle than a DV cert, and even when they do, the name on the cert isn't always what you expect since it might be the name of the owning company, not the brand you are familiar with.

Whois on DNS isn't always reliable either, since it often just points to another company that provides a dns service (such as AWS).

[jeroenhd]

> Companies register all kinds of crazy domains and redirect you through them all the time

That's the real problem with domain trust these days. Companies go out of their way to make sure you know to only visit official links, and then do stupid stuff like buying vanity domains for one-time deals, or make you click through mailchimp tracking URLs because marketing tracking is more important than your customers falling for phishing. Those vanity domains then end up expiring, and now emails and web links that used to go to an official $brand server are all ready to be swooped up by scammers. Customers never stood a chance.

This isn't a TLD problem. It's a shitty company problem.

[marxisttemp]

I wholeheartedly agree. Subdomains exist for a reason. Vanity domains are so incredibly sloppy and unserious.

Another issue is that they can make password management more of a chore. Every time I need to look up my Microsoft login, I have to remember to actually look up “live.com”. Except sometimes the login page is served from “microsoft.com”. Oops, you forgot your password and reset it; now your password for the other domain is out of date. Utterly ridiculous behavior from a company of their stature.

[xelamonster]

This made me think I'd somehow not saved my MS password because it wouldn't show up if you searched "microsoft". I know you can combine them like the other comment mentioned but what an awful default experience.

[nemomarx]

bitwarden can list multiple domains in one entry for a password - it might be good to find out if you're manager can do that and merge some?

[mh-]

1Password too. This is a must-have feature for me.

[callalex]

That seems like the textbook definition of a bandaid solution. Does that even work for the new hotness, passkeys?

[marxisttemp]

iCloud Keychain can too, and I’ve already done that. It’s still an annoying and pointless extra step.

[zokier]

There is no domain trust problem, because there is no trust to be had on domains.

[immibis]

do you trust that you are on Hacker News right now?

[zokier]

What I meant was that you can not put any trust in the contents of DNS labels, they should be handled as opaque blob-like identifiers. The only meaningful thing you can do with domain name is to compare it's labels to some reference.

So no, I don't trust that I'm on HN because of I put any trust in the domain "news.ycombinator.com" signifying anything. I only trust that I'm on same HN that I was on yesterday because the domain matches exactly the reference value. But the domain name could be anything, as long as it is stable.

[mindcrime]

Maybe it would be better to say "there is no inherent trust on domains". I trust HN today because I was on HN yesterday, and the day before, and last year, and 10 years ago, etc., and it's always been trustworthy (so far as I know).

But if I saw a link tomorrow for hackernews.shop and I went there, I'd be very suspicious.

[motorest]

> do you trust that you are on Hacker News right now?

Is Hacker News asking for my credit card or impersonating any other site?

[bdangubic]

where am I…??

[Symbiote]

A little searching shows Dell have dell.to, used as a link shortener, even though Dell has little business in Tonga.

[BlueTemplar]

Maybe companies should stop doing that then ? Also, homonyms aren't uncommon for smaller companies, especially across the world.

EDIT : and ninjaed...

[kataklasm]

Have you seen the domains Microsoft uses? Half the time I am not sure if they are genuine or not, it's actually crazy. Sometimes they use .com, other times .ms. Sometimes Microsoft is in the top-level other times it's in the second-level. Sometimes they have no subdomain, sometimes they have two. It's utterly inconsistent and it's insane to me how close some of them look to actual phishing domains...

[joegibbs]

If you get credits for Azure they're accessed through microsoftazuresponsorships.com. Why not sponsorships.azure.microsoft.com or something like that? I checked it three times when I got the link, because it's exactly the kind of domain someone would use if they were going to steal your Azure credits.

[kataklasm]

That's hilarious..

[prmoustache]

It is not actually important as you know you cannot trust microsoft more than the usual scammer anyway.

[mikestew]

Maybe, maybe not. [citation needed] But store.apple.com is perfectly legit, so what’s wrong with apple.shop[0]? Sure, you and I know that one is a subdomain and one is a TLD. How many random folks on the street in Des Moines know this? 15%? Less? “Say what? It matters which end the ‘shop’ part is on? Whose brilliant idea was that?”

[0] sigh Apparently nothing is wrong with it, as it redirects to apple.com. So much for that example; take in the spirit intended.

[9cb14c1ec0]

There aren't "people who fall for phishing" and "people who don't", generally speaking. I know highly intelligent and talented people, well educated in general online security, who have fallen for phishing links and scams.

[foxglacier]

It's certainly possible to strongly protect yourself though, vs casually relying on intuition which is hopeless. You just need to establish a process or set of rules to follow. Businesses do this all the time. A classic scam is sending an invoice asking for payment, and some disorganized businesses will just pay you! But those with a process won't because you won't be able to give them a matching purchase order number and other things their process needs.

A basic personal protection is to not trust anyone who initiates contact with you, no matter who they say they are or what they know about you. Verify by contacting them independently instead.

[callalex]

Very true. My dad (late 60s) has written a DNS server, but still nearly fell for an email scam when he was sleep deprived and at the airport believing his flight was overbooked and he was going to be kicked.

[hatthew]

I am unlikely to fall for either of them, but given compromising factors as mentioned by the other commenter, I am much less likely to fall for dell..com than dell.

Due to the widespread usage of 3+ common TLDs (com, org, net, etc.) and arbitrary third-level domains, people have been trained that the second-level domain is the one that matters. Now that gTLDs are more common I've needed to retrain my brain that the TLD is also a necessary heuristic for authenticating websites.

[endgame]

Even aside from that, you probably want to register your own .sucks and .rocks, which just means whoever operates that registry gets to make a bunch of money from companies squatting domains that nobody wanted and bring no value to the world.

[inopinatus]

That’s kinda the point. Scammers want to deal with the poorly informed, the gullible, the vulnerable. They concomitantly prefer that the wary and street-smart select themselves away. A marketing professional would recognise the effective segmentation going on, and every new TLD is an opportunity in that regard.

[clan]

I do not think so. I think if someone would have made an effort to rip off the real Dell site I would fall for it. I am just so lucky that scammer mostly prefer to go after the easier marks.

I am not sure what a better solution could be. The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.

I do however still prefer more gTLDs to minimize domain squatting.

[AnthonyMouse]

> The idea of EV certificates was good but executed poorly. Maybe a way to link certificated to business IDs.

The idea was bad.

Anybody can open the Dell Flower Shop. They can call their company Dell Inc. and register the domain dell.shop and they're not doing anything wrong, because they're in a different industry and nobody is going to confuse a tulip with a laptop. And then they could get an EV cert that says Dell Inc. -- because that's who they are.

Which is why EV certs are worthless. Just because it says Dell doesn't mean it's that Dell. There can be arbitrarily many companies with the same name in different industries or locations. But then what is the certificate supposed to tell you that gives you more information than the domain name? The average person is not going to know a company's registration ID with the relevant secretary of state, or generally even what state they're incorporated in.

[dietr1ch]

People would fall for `dell.scam` too, it's a number's game.

[Tempest1981]

Also depends on how their browser shortens the display of the URL

[yearolinuxdsktp]

Answers like this, that basically call the users idiots and abdicate any responsibility on the part of tech, are a losing long-term business proposition. Figure it out and gain loyalty and market share.

[throitallaway]

I'm doubtful that most non-technical people familiarize themselves with TLDs/domain names. They use a search provider for whatever they need. As far as emails/phishing goes, it's a game of cat and mouse; it will never be over. Basically, don't trust unprompted email links and just go to the site if it's something you really want.

[yorer]

The always-search-instead-of-bookmark practice is then introduced this situation https://www.bleepingcomputer.com/news/security/sneaky-amazon...

Its really an unsolvable cat and mouse game without proper familiarising oneself with the dos and don'ts of the internet.

[drew-y]

I wonder if we could add some type of verification registry. It would be nice if browser's could have a big indicator saying that this website is verified to associated with Dell inc.

[marionauta]

Some HTTP certificates do exactly that, and web browsers used to show the company/identity the certificate was issued to in the URL bar. Now you have to go to the certificates detail, very clear on Firefox, behind a few clicks on Chrome. Here's an example from a bank in Spain: https://www.bbva.es

[varenc]

HTTPS certificates should do exactly this.

[drew-y]

They should. And sort of already do. Though, I wonder how difficult it is to register with some certificate issuers under a fraudulent name.

[chrismorgan]

That was EV certificates. They were finally removed from browsers completely around five years ago because they didn’t actually work. At all. The problems were largely social. Plenty has been written about it, you can find it by searching.

[Joker_vD]

Well, the original HTTPS certificates too were supposed to work like that; I remember reading a security article criticizing the EV proposal by quoting the old (circa 1998?) policy statements of different CA's and showing that they're pretty much identical to the EV requirements.

[hamandcheese]

> Companies have to register on all these random domain to protect themselves.

"Nice business you got there. Shame if a scammer bought your name on my new TLD."

[xelamonster]

Yep that's the issue, I'm just saying I'd rather have that problem than the one where I can't register a clean looking personal domain because every idea I have is already registered (with 95% of them leading to a parking page untouched for years except to pay the bill). Feels like we just need more names available and I don't see how else we could get them.

[friendzis]

Is dell.com, dell.co.uk and dell.ee owned and backed by the same corporation?