Re-list domain registrars

[namazso]

Since this question comes up every once in a while on matrix and reddit, I think we should have a page for them again.

imo we should start off by these providers:

Njalla

Pros:

• Only provider that can provide you with a domain without having to give up personal info: They own the domains for you instead of being a proxy for registrations.

Cons:

• If they disappear one day, you might lose your domains.

Cloudflare

Pros:

• Follows ICANN policies well
• Comes with WHOIS privacy by default
• Supports DNSSEC with a single toggle
• Has a good track record of only giving out personal info following subpoenas only
• Cheap (zero profit)
• Not a reseller

Cons:

• Locked to Cloudflare DNS
• Few TLDs available
• You need to manually disable them issuing certs for your domain

Local accredited registrar for the TLD

As registrar location was used in the US and Germany for claiming jurisdiction, I think we should also recommend looking for accredited registrars at the registry of the desired TLD, situated in the same jurisdiction. This reduces legal exposure to one you have anyways from using the TLD. Might want to mention to look for DNSSEC support

Minimum criteria for listing

• ICANN accredited
• A good set of non-resold TLDs
• Resold TLDs (if any) are easy to tell apart
• DNSSEC support
• WHOIS privacy (preferably for free)
• GDPR compilance
• Preferably not overlapping with another listed one in served TLDs

Additionally, we should add a warning about how people shouldn't just fill in fake data for WHOIS. Doing so means they might lose their domain at any time.

[TrashPandaCodingGarbage]

I would not recommend Njalla. Trustpilot is full of reviews that they suspended the domain without any explanation, refusing to give back the ownership. How about Namecheap?

[namazso]

Also while searching up Njalla's previous affairs, found this great thread: https://twitter.com/brokep/status/1389314362561777665

This is exactly why we should discourage resellers, it adds an extra party to the mix. Njalla really is just an exception because of their "owning for you" model

[ghost]

Namecheap's DNSSEC is broken.
They still use the SHA-1 algorithm, which was banned by RFC 8624.

[freddy-m]

Not opposed to adding Njalla - it would just need a warning. As a service, it is pretty much unparalleled; all other registrars require personal information whereas they need none. The catch, of course, is that you don't own your domain - so theoretically anything could happen to it. (On an unrelated note, their founder is a cool guy who follows us on Twitter).

Namecheap doesn't have any obvious features that would warrant it being recommended, AFAIK.

[jonaharagon]

Definitely gonna +1 NOT adding Namecheap, for the record lol https://twitter.com/_nyancrimew/status/1563518722748256260

[ghost]

This is not good. This is a problem before privacy.

[ghost]

With Cloudflare DNS, SSL certificates are issued by Cloudflare without your consent.
This is a security risk for those who provide their own SSL certificates or for those who do not need a certificate (those who use their domain exclusively for email).

[namazso]

Interesting, I can confirm this happened on a domain that I only used with non-proxying entries in DNS. I'll try to ask them about it, maybe it's an incorrect handling with the SSL setting (which I had on Flexible, but that shouldn't matter when nothing is proxied)

[ghost]

I have asked Cloudflare support before, but it seems that it is not possible to manually revoke a certificate that CF has issued on its own.

[namazso]

I can understand how complicated revoking them would be, I'm rather interested in why it is created in the first place

[namazso]

Good news: You can actually disable this, as I just learned:

[ghost]

Unfortunately, disabling it from the web does not revoke the issued certificate, which can be verified in https://crt.sh/.

[ghost]

Cloudflare is a bad option.
Cloudflare's Whois Privacy Protection is inadequate and the country and state/province where you live is always exposed.

[namazso]

that's in line with the ICANN requirement for GDPR: https://www.icann.org/resources/pages/gtld-registration-data-specs-en section "Requirements for Processing Personal Data in Public RDDS Where Processing is Subject to the GDPR"

[ghost]

Hmmm, but Namecheap and Google Domains offer full protection; Cloudflare is inadequate.

[namazso]

Well, maybe it could be better, but I don't think this issue is worth more than a yellow box at most, unlike the certificate thingy.

[ghost]

I would not recommend 1984 Hosting either.
Some of their nameservers do not have AAAA records. This may hinder name resolution from IPv6-only environments.
https://www.hardenize.com/report/1984.is/1661590310#domain_dns_zone

[matchboxbananasynergy]

I don't know if I'd want to have this section again, unless it was done as a full package (as part of helping people establish their own corner on the Internet). It would have to be a big PR introducing multiple sections and guides to the site.

[ph00lt0]

I think it would be good to have an option for domainnames. Many people will use their own domain for proton and simplelogin for a few reasons:

• in case proton ever stops offering you service or you get locked out you likely are still able to move to another provider
• less chance of getting blocked because you are using a domain that isn't known to be an alias.

[dngray]

I don't know if I'd want to have this section again, unless it was done as a full package (as part of helping people establish their own corner on the Internet).

It could perhaps be a part of privacyguides/privacyguides.org#1686 perhaps.

[ph00lt0]

I like to stress that Njalla does not have a privacy policy and on repeated requests has neglected to change this.

[namazso]

I don't really understand the goal you have with this tbh. If you want to be completely invisible I also wouldn't really recommend using your unique domain.

There's the so called "pseudonymity" which in fact most visitors of PG seek for at most services. You're using a pseudonym (ph00lt0) right now. If you provide an association between your pseudonym and IRL name to a service, you always risk them being hacked in the future.

[ph00lt0]

What you say about hijacking is very unlikely to happen imho and depends on the TLD you use.

Where did you find that about name.com?

You most likely have a different threat model then me. I do not care about someone knowing my name and also do not attempt to hide it. I care about the companies being able to target me effectively and using data to link profiles. The prevention for a hack you describe is what we call security by obscurity.

[namazso]

What you say about hijacking is very unlikely to happen imho and depends on the TLD you use.

No, it depends on all parties in the chain. You, the registrar, any additional registrar they resell, and the registry. All of the places where they're located can reason why they have rights for jurisdiction.

Where did you find that about name.com?

The .AC registry lists them as the only registrar: https://nic.ac/new.htm

You most likely have a different threat model then me.

Me, and from my sample of the last few months of r/PrivacyGuides a good chunk of PG's visitors.

I do not care about someone knowing my name and also do not attempt to hide it.

good for you

The prevention for a hack you describe is what we call security by obscurity.

.. so, what you mean is "just don't be targeted"? Gee, why didn't we think of that! Think we can just delete the site now, the privacy problem is solved.

[ph00lt0]

Yeah so as I said this depends on the fact that you talk about the .ac TLD. Others might have other jurisdictions. Personally I still believe the EU market rules to protect your purchase better. I think the risk of a provider doing something bad is higher than a government tying to hijack my domain. The latter they will be able to eventually do anyway, no matter where you registered it. All EU countries have authority support in the US and vice versa. My arguement is not that you shouldn't try to hide from the government. This may be necessary in someone's case. I just don't believe it to be successful. If your threat-model requires that you may want to use .onion domains or use a zero-knowledge provider such as Protonmail's domain. That one will be protected by the company and hijacking it would be harder to sell as it's known to be used by many more people.
Additionally if you want to de-associate your domains from your own identity fully you would also have to find another way to pay for them. In that case it might be beneficial to buy it though a legal entity for this. But all that is very complicated, and not necessary for the masses. Most people want to protect themselves from being tracked around, not from a government possibly hacking them. Much of the advice on this website wouldn't be suitable for the last category.

[ph00lt0]

I would like to revoke my OVH recommendation. As they seem to require ID card copies of new users. This poses a risk for identity theft which I would say is too high.

[freddy-m]

Unsure whether this is within the scope of the site. Then again, we often get asked what domain registrars we recommend. Thoughts @privacyguides/team?

[matchboxbananasynergy]

I initially agreed with you, however the argument from @ph00lt0 that people might want a custom domain for their e-mail was quite convincing. If people are going to need a custom domain, we might as well help them choose the best option from a security and privacy perspective.

[freddy-m]

It makes sense to me - should we open an issue?

[matchboxbananasynergy]

I think the idea for the page makes sense, however I don't think we're quite there on exactly which providers we should recommend. I don't know if this discussion or an issue is the appropriate place to iron out the details - I leave that up to you.

[freddy-m]

I think Jonah explained what the difference is, but we still need to clarify what is appropriate for what... For now this discussion should work...

[jonaharagon]

@freddy-m @matchboxbananasynergy Issues just have to be actionable (no discussions, no questions, no duplicates):

We can open issues for suggestions that (1) we absolutely want to do, i.e. they're confirmed, and (2) someone specifically is planning on actually doing it eventually, i.e. they're assignable.

I will leave it up to you both on whether this qualifies, mainly because I don't want to create this PR myself, since I already have ~3 other issues I'm planning on tackling soon. Details like what will specifically be recommended don't have to be completely worked out beforehand (see the open personal health issue for example), but don't open one if you don't know who will eventually write the PR, since we don't want to have issues open forever.

[ghost]

If you can accept the name of your organization, state/province, and country being published in Whois, Gandi may be a good option.

[ghost]

That point is off the mark. There are registrars that offer "full Whois privacy" and those that offer "partial Whois privacy"; Cloudflare and Gandi's Whois privacy is partial. Google Domains and Namecheap, on the other hand, offer full Whois privacy.

[ph00lt0]

I don't believe this to be official terms, are they? We should generally require a registrar to hide your information. Permanent exposure of an address does not seem to aligned with the goals we have.

[namazso]

Your country's name is not "an address". GDPR does not consider it personal information, therefore the ICANN temp spec does not require it to be hidden. I don't think it's worth more than a yellow box at most. If there's already industry standards (like ICANN temp spec) that major players follow, I don't think we should make up our own extra requirements. Just like how we just use GDPR compliance as a metric.

[jonaharagon]

I don't believe this to be official terms, are they?

There is a distinction between WHOIS Privacy and WHOIS Redaction (which is a newer concept within ICANN's guidelines, I believe). WHOIS Privacy has an intermediary company substitute their information for your own in the record, and hides all registrant information from the record. WHOIS Redaction keeps all your information as-is, but does not publish personal information (see Cloudflare's policy for more info).

Full WHOIS Privacy could theoretically have legal implications by making that intermediary company technically the owner of the domain name. There are some protections against this put in place by ICANN, but this issue has been litigated in the past. Technically this means that Namecheap, GoDaddy, etc. are all acting the same way Njalla does when it comes to registrations for the purposes of domain ownership. WHOIS Redaction avoids this issue.

[ph00lt0]

@namazso I do not agree with your comment on country details under GDPR. GDPR does not have a defined list of what is personal data. Any data that helps to identify a natural person is considered personal data under GDPR, therefore a country can perfectly be personal data. It's somewhat far stretched, but you make a very big assumption here that a country couldn't distinguish two people and help with linkability.

From what Jonah says I would argue the privacy or redaction doesn't make much difference as long as the details of the owner are not exposed.

[ghost]

Why You Shouldn't Use Cloudflare:
https://community.cloudflare.com/t/revoke-and-prevent-the-issuing-of-certificates/235478

[dngray]

Discussion should continue in privacyguides/privacyguides.org#1686

I think if we're going to do a self hosting page, we should do something on registrars, as you need a domain to self host anything.