This isn’t limited to just domains, though it’s good to consider. What happens when Google, Microsoft, or anyone else recycles unused accounts? Unfortunately for them, it seems like email addresses have been so tightly coupled with identity that it seems unreasonable that an address could be reused after any period of account inactivity.
giancarlostoro · 37m ago
I was angry when I realized my hotmail account I used from 2000 all the way through the 2010s got wiped by Microsoft. I was using gmail more, but still someone else got my old email and all the emails I used to receive along with it I'm sure.
srini_reddy · 1h ago
Google wont allow you to register with the deleted/suspended/inactive email address
giancarlostoro · 36m ago
I wish Microsoft had done this to my deleted Hotmail, instead some random person got my email, and potentially access to every website I ever registered to with said email...
nottorp · 1h ago
Why is Google notifying me that they'll delete the account associated with <some email address that i do own> lately then?
They'll delete the storage, or make that email available for new registrations?
thewebguyd · 15m ago
Google's support page says they don't recycle usernames, ever so once an email is registered that's it, even after they delete the account. However, the by product of that is you won't be able to re-register that email. Once its gone, its gone forever.
nullwarp · 50m ago
FWIW I am unable to register a gmail for an account I deleted probably 8 years ago at this point. That said I don't know if there is anywhere where it explicitly outlines if it is or is not possible.
nottorp · 27m ago
Ah so I either click on it and recover password or give up on it. Decisions decisions...
ocdtrekkie · 2h ago
One of the places this worried me the most was Golang, where domains for repositories are used as a package source. Credit where credit's due, when I contacted Google about a developer who had passed before their domain expired, and they were able to lock out the domain from pulling anything new into their cache.
snickerdoodle12 · 1h ago
On the other hand it's pretty crazy you could just get a domain blacklisted like that
ocdtrekkie · 1h ago
It was quite possible to independently prove my report was genuine. I am confident they didn't take my word for it.
I give Google a lot of well-deserved criticism, but they handled this issue pretty well and quite promptly.
sidewndr46 · 1h ago
Couldn't you pay pretty much any random official in a corrupt country to produce a death certificate in any name you want? Maybe it's a bigger bribe than normal, but it seems like it would be routine
ocdtrekkie · 1h ago
So this is where I'd highlight the benefits that an actual human looked at and responded to my email (a rarity for Google), and hence could use human discretion to decide that what I indicated was indeed accurate, and not randomly from a random corrupt country. I really have to emphasize: Any security process that actually works has humans in the loop! (Security doesn't scale.)
The other thing of course, is that the domain was expiring. So similar to PyPI just accepting in the parent article that an expired domain isn't trustworthy, Google could verify shortly thereafter whether or not the domain was renewed by the developer in question.
And ultimately, you're suggesting paying off an official to pretend someone is dead, so you can block package updates to a domain, which doesn't really introduce a security issue, and of course, is trivially reversible when the person in question is, in fact, still alive. As Tony Stark would say, "Not a good plan".
sidewndr46 · 1h ago
I don't think you've ever dealt with the likes of US credit bureaus if you think getting something like a death announcement is "trivially reversible".
I forever am and forever will be a civil engineer somewhere in upstate New York thanks to them. Nevermind I was still in high school at the time and don't even have a shred of engineering qualifications. Whoever you are, thanks for the borrowed ladder my friend.
junon · 56m ago
This is why URI based imports make little sense to me, honestly.
sneak · 1h ago
go’s lockfiles include cryptographic hashes which prevent even Google from maliciously replacing packages in the cache.
tsimionescu · 19m ago
For a given version, yes. But the security risk here is about publishing a new (malicious) version of a previously trusted package, by taking control of an expired domain.
Say I'm using mydomain.org/abc and it's a perfectly fine package. I'm currently using v1.25.7. Two months later, I see a new version of mydomain.org/abc, v1.25.8. I will likely update to it and use it relatively confidently. But, unbeknownst to me, mydomain.org's registration expired one month ago, and a malicious actor has grabbed it in the meantime; and they have now released a malicious version of this package. Nothing in Go's security model prevents this type of attack, except that Google's package "cache" (the package repo that Go downloads things from) can be configured by Google to not provide that malicious package.
This is a major design flaw with the silly idea of using an extremely imparmenent identifier - DNS names, which can only be leased for a limited time and are automatically auctioned off after they expire - as the main identifier for something as long lived as Go packages. No other package ecosystem has this terrible design concept - even when they do use DNS, they use it only for an initial authentication, not as the only identifier.
For example, in Java's Maven repo, to publish a package org.mydomain.abc from a Maven Central account, you need to prove that you have ownership of abc.mydomain.org once when associating this package. Afterwards, the package name remains associated with your Maven Central account, forever. If you lose access to that domain name and someone else obtains, they can't go through the same steps, Maven Central won't let them, since that package name is already tied to your account.
junon · 55m ago
This doesn't address availability or discoverability though. There are no upsides other than a fleeting sense of "decentralization", without any of the securities of a real decentralized protocol.
ocdtrekkie · 1h ago
A malicious actor could, however, quite trivially add one to the version number. ;)
arccy · 4m ago
No technical solution is going to save you from an upstream going rogue and you blindly updating. The only way is to properly review your dependencies.
sneak · 1h ago
All of this because we still haven’t solved durable long-term strong cryptographic identity on the internet.
(Actually we have, but nobody wants to make people install Metamask or similar to log into websites.)
thewebguyd · 12m ago
Flawed and doesn't scale now, but wasn't that the idea behind PGP and key signing parties? Nothing enforced, but the idea was someone was supposed to verify your identity irl before they signed your key.
zokier · 1h ago
Keybase had good concept originally and they even had some momentum for a sec, but then they took VC money and imploded. Considering how simple system it was, I feel it should be something we could implement again (without spof)
ocdtrekkie · 2m ago
I really liked Keybase, and do note that Keyoxide exists as an open-source project where annotations of proofs are made directly on the PGP keys and no longer requires a central point of failure. ;)
I will say there are downsides to cryptographic keys being required for updating a package: One of the biggest pain points we have in Sandstorm is we both verify authors using their PGP key (from Keybase, as it happens, it's an old project), and we have a keypair for each app which you need to update it.
The end result unfortunately is sometimes we have trivial one-line fixes for apps which are abandoned by the author, and it is very difficult to deploy said fix to end users. This can hypothetically manifest in the form of unfixable security problems. We do have a way to forcibly change the key, but it's intentionally a pain to do, and of course, is possible because ultimately the central authority has the ability to code the platform to circumvent that key anyways.
Which is to say, you do trade some security risks for other security risks, whether it's a better situation is an exercise for the reader.
dvtkrlbs · 47m ago
I think that is mainly because crypto or anything crypto related is tainted bu scams etc. So a regular user just doesnt have the same trust. Another problem is crypto gets attackwd way more since it also involves real money.
They'll delete the storage, or make that email available for new registrations?
I give Google a lot of well-deserved criticism, but they handled this issue pretty well and quite promptly.
The other thing of course, is that the domain was expiring. So similar to PyPI just accepting in the parent article that an expired domain isn't trustworthy, Google could verify shortly thereafter whether or not the domain was renewed by the developer in question.
And ultimately, you're suggesting paying off an official to pretend someone is dead, so you can block package updates to a domain, which doesn't really introduce a security issue, and of course, is trivially reversible when the person in question is, in fact, still alive. As Tony Stark would say, "Not a good plan".
I forever am and forever will be a civil engineer somewhere in upstate New York thanks to them. Nevermind I was still in high school at the time and don't even have a shred of engineering qualifications. Whoever you are, thanks for the borrowed ladder my friend.
Say I'm using mydomain.org/abc and it's a perfectly fine package. I'm currently using v1.25.7. Two months later, I see a new version of mydomain.org/abc, v1.25.8. I will likely update to it and use it relatively confidently. But, unbeknownst to me, mydomain.org's registration expired one month ago, and a malicious actor has grabbed it in the meantime; and they have now released a malicious version of this package. Nothing in Go's security model prevents this type of attack, except that Google's package "cache" (the package repo that Go downloads things from) can be configured by Google to not provide that malicious package.
This is a major design flaw with the silly idea of using an extremely imparmenent identifier - DNS names, which can only be leased for a limited time and are automatically auctioned off after they expire - as the main identifier for something as long lived as Go packages. No other package ecosystem has this terrible design concept - even when they do use DNS, they use it only for an initial authentication, not as the only identifier.
For example, in Java's Maven repo, to publish a package org.mydomain.abc from a Maven Central account, you need to prove that you have ownership of abc.mydomain.org once when associating this package. Afterwards, the package name remains associated with your Maven Central account, forever. If you lose access to that domain name and someone else obtains, they can't go through the same steps, Maven Central won't let them, since that package name is already tied to your account.
(Actually we have, but nobody wants to make people install Metamask or similar to log into websites.)
I will say there are downsides to cryptographic keys being required for updating a package: One of the biggest pain points we have in Sandstorm is we both verify authors using their PGP key (from Keybase, as it happens, it's an old project), and we have a keypair for each app which you need to update it.
The end result unfortunately is sometimes we have trivial one-line fixes for apps which are abandoned by the author, and it is very difficult to deploy said fix to end users. This can hypothetically manifest in the form of unfixable security problems. We do have a way to forcibly change the key, but it's intentionally a pain to do, and of course, is possible because ultimately the central authority has the ability to code the platform to circumvent that key anyways.
Which is to say, you do trade some security risks for other security risks, whether it's a better situation is an exercise for the reader.