Simon Willison's Weblog: domains

Three months of OpenClaw

2026-02-15T17:23:28+00:00

It's wild that the first commit to OpenClaw was on November 25th 2025, and less than three months later it's hit 10,000 commits from 600 contributors, attracted 196,000 GitHub stars and sort-of been featured in an extremely vague Super Bowl commercial for AI.com.

Quoting AI.com founder Kris Marszalek, purchaser of the most expensive domain in history for $70m:

ai.com is the world’s first easy-to-use and secure implementation of OpenClaw, the open source agent framework that went viral two weeks ago; we made it easy to use without any technical skills, while hardening security to keep your data safe.

Looks like vaporware to me - all you can do right now is reserve a handle - but it's still remarkable to see an open source project get to that level of hype in such a short space of time.

Update: OpenClaw creator Peter Steinberger just announced that he's joining OpenAI and plans to transfer ownership of OpenClaw to a new independent foundation.

Tags: ai-agents, openclaw, ai, open-source, domains, openai, peter-steinberger

PyPI: Preventing Domain Resurrection Attacks

2025-08-19T15:36:44+00:00

PyPI: Preventing Domain Resurrection Attacks

Domain resurrection attacks are a nasty vulnerability in systems that use email verification to allow people to recover their accounts. If somebody lets their domain name expire an attacker might snap it up and use it to gain access to their accounts - which can turn into a package supply chain attack if they had an account on something like the Python Package Index.

PyPI now protects against these by treating an email address as not-validated if the associated domain expires.

Since early June 2025, PyPI has unverified over 1,800 email addresses when their associated domains entered expiration phases. This isn't a perfect solution, but it closes off a significant attack vector where the majority of interactions would appear completely legitimate.

This attack is not theoretical: it happened to the ctx package on PyPI back in May 2022.

Here's the pull request from April in which Mike Fiedler landed an integration which hits an API provided by Fastly's Domainr, followed by this PR which polls for domain status on any email domain that hasn't been checked in the past 30 days.

Via Hacker News

Tags: domains, pypi, python, security, supply-chain

Ask HN: What happens to ".io" TLD after UK gives back the Chagos Islands?

2024-10-03T17:25:21+00:00

Ask HN: What happens to ".io" TLD after UK gives back the Chagos Islands?

This morning on the BBC: UK will give sovereignty of Chagos Islands to Mauritius. The Chagos Islands include the area that the UK calls the British Indian Ocean Territory. The .io ccTLD uses the ISO-3166 two-letter country code for that designation.

As the owner of datasette.io the question of what happens to that ccTLD is suddenly very relevant to me.

This Hacker News conversation has some useful information. It sounds like there's a very real possibility that .io could be deleted after a few years notice - it's happened before, for ccTLDs such as .zr for Zaire (which renamed to Democratic Republic of the Congo in 1997, with .zr withdrawn in 2001) and .cs for Czechoslovakia, withdrawn in 1995.

Could .io change status to the same kind of TLD as .museum, unaffiliated with any particular geography? The convention is for two letter TLDs to exactly match ISO country codes, so that may not be an option.

Tags: dns, domains, hacker-news

Every remaining website using the .museum TLD

2022-11-20T00:53:44+00:00

Every remaining website using the .museum TLD

Jonty did a survey of every one of the 1,134 domains using the .museum TLD, which dates back to 2001 and is managed by The Museum Domain Management Association.

Via @jonty@chaos.social

Tags: domains, museums

How CDNs Generate Certificates

2020-06-26T00:03:45+00:00

How CDNs Generate Certificates

Thomas Ptacek (now at Fly) describes in intricate detail the challenges faced by large-scale hosting providers that want to securely issue LetsEncrypt certificates for customer domains. Lots of detail here on the different ACME challenges supported by LetsEncrypt and why the new tls-alpn-01 challenge is the right option for operating at scale.

Tags: acme, certificates, domains, thomas-ptacek, tls, fly

The death of a TLD

2018-07-28T20:07:00+00:00

The death of a TLD

Sony have terminated their .xperia TLD. Ben Cox used Certificate Transparency logs to evaluate the 11 total TLDs that have been abandoned since the gTLD gold rush started—since HTTPS is becoming the default now these logs of issued certificates are a great indicator of which domains (or TLDs) are being actively used. The only deleted TLD with legitimate looking certificates (apparently for a mail server) was .mcdonalds

Tags: certificates, dns, domains, tls

Domains Search for Web: Instant, Serverless & Global

2018-01-26T01:14:52+00:00

Domains Search for Web: Instant, Serverless & Global

The team at Zeit are pioneering a whole bunch of fascinating web engineering architectural patterns. Their new domain name autocomplete search uses Next.js and server-side rendering on first load, then switches to client-side rendering from then on. It can then load results asynchronously over a custom WebSocket protocol as the microservices on the backend finish resolving domain availability from the various different TLD providers.

Via Guillermo Rauch‏

Tags: domains, websockets, zeit-now, microservices

SSL Issuer Popularity

2017-11-21T14:44:56+00:00

SSL Issuer Popularity

The impressive growth of Let’s Encrypt in one graph: from 4.87% of TLS-enabled domains in May 2016 to 36.68% in November 2017.

Tags: domains, ssl

What is the best service for web hosting and buying a domain? Is it better to have both under one provider?

2013-09-22T15:12:00+00:00

My answer to What is the best service for web hosting and buying a domain? Is it better to have both under one provider? on Quora

No, it's not better to have both under the same provider. Good web hosts do not necessarily make good DNS hosts and vice versa.

Tags: domains, hosting, web-development, quora

How did art.sy get a ".sy" url?

2012-05-31T11:00:00+00:00

My answer to How did art.sy get a ".sy" url? on Quora

Here's a generally useful tip: if you're interested in learning more about ANY top level domain, visit the Wikipedia page for it - which will be http://en.wikipedia.org/wiki/.sy in this case (just add the domain, complete with its dot prefix, directly after en.wikipedia.org/wiki/ ).

The wikipedia page will tell you which country the domain refers to, who the registrar is, what restrictions there are on those domains and plenty more besides. In this case, .sy is Syria - not exactly the best country to be associating your brand with these days!

Tags: domains, urls, wikipedia, quora

Are there any disadvantages to using domain hacks for your product website?

2012-01-16T16:29:00+00:00

My answer to Are there any disadvantages to using domain hacks for your product website? on Quora

If you ever get written up
In the mainstream press you can almost guarantee that they will screw up the URL they publish (by sticking a .com on the end or fixing a deliberate misspelling). Sadly this still seems to be the case after 20 years of the Web!

Scary story about this here: http://www.skrenta.com/2007/03/k...

Tags: domains, web-development, quora

Why is Google indexing & displaying www1 versions of my site and how might I stop this?

2012-01-09T12:43:00+00:00

My answer to Why is Google indexing & displaying www1 versions of my site and how might I stop this? on Quora

You should stop serving your site to the public on multiple subdomains. Configure your site to serve a 301 permanent redirect from www1-www4 to the equivalent page on www - also, make sure that your site accessed without the www redirects to the right place as well.

The use of 301s will avoid any SEO penalty.

Why should you take this relatively extreme measure? Because serving on multiple subdomains hurts you in a bunch if ways:

1) Your SEO is spread across multiple copies of the same page, hurting your page rank.

2) Your cookies may end up spread across multiple domains, hurting your analytics and resulting in frustrated users who are signed in on only some of your subdomains

3) You're damaging your scores on social media sharing sites. To use quite an old example, delicious used to use the number of bookmarks to a unique URL to decide what would appear on their "popular" page. Having multiple URLs for a piece of content split that score, making it much less likely you would appear there.

4) You're making life harder for yourself should you need to switch to serving your entire site over SSL (which you may need to do to see Google search referral information as they move more of their search results pages to SSL)

Using rel=canonical is a good short-term fix, but it's not too hate to implement the proper 301 fix and in my opinion it's well worth the effort.

Tags: domains, google, search-engines, seo, quora

Why don't more websites use alternative domains?

2010-10-13T11:49:00+00:00

My answer to Why don't more websites use alternative domains? on Quora

Because regular human beings don't understand them, and expect everything to be a .com. Here's an interesting post from 2007 on why Topix.net spent $1,000,000 buying the .com domain: http://www.skrenta.com/2007/03/k...

Tags: domains, urls, quora

Is the .ly domain unsafe? Why?

2010-10-12T15:27:00+00:00

My answer to Is the .ly domain unsafe? Why? on Quora

It's always been unsafe in my opinion. Why build your company around a domain name that's controlled by the Libyan government?

Tags: domains, quora

Why do so many Internet sites end with the letter 'r' (but not 'er')? Think about Tumblr, Dopplr, Migratr. What's behind this?

2010-09-08T13:52:00+00:00

My answer to Why do so many Internet sites end with the letter 'r' (but not 'er')? Think about Tumblr, Dopplr, Migratr. What's behind this? on Quora

We just launched a project called lanyrd, which is a play on lanyard. We partly picked the name because the domain was available, but there's actually a big advantage to using a made-up word: it's really easy to search for coverage and feedback on Twitter, Google Blogsearch and the like. The string "lanyrd" is almost exclusively used to discuss our project - had we used a dictionary word, tracking down feedback would have been a lot harder.

Tags: domains, internet, quora

Some People Can't Read URLs

2010-03-02T10:16:09+00:00

Some People Can't Read URLs

Commentary on the recent “facebook login” incident from Jono at Mozilla Labs. I’d guess that most people can’t read URLs, and it worries me more than any other aspect of today’s web. If you want to stay safe from phishing and other forms of online fraud you need at least a basic understanding of a bewildering array of technologies—URLs, paths, domains, subdomains, ports, DNS, SSL as well as fundamental concepts like browsers, web sites and web servers. Misunderstand any of those concepts and you’ll be an easy target for even the most basic phishing attempts. It almost makes me uncomfortable encouraging regular people to use the web because I know they’ll be at massive risk to online fraud.

Tags: domains, facebook, phishing, security, urls

Dangers of remote Javascript

2008-01-20T09:49:06+00:00

Dangers of remote Javascript

Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site.

Tags: domains, javascript, nat-torkington, oreilly, perldotcom, security, xss

UK domain registrar 123-Reg crashes and burns, taking its customers with it

2007-11-18T11:24:07+00:00

UK domain registrar 123-Reg crashes and burns, taking its customers with it

I was hit by this yesterday: can anyone recommend an alternative DNS host with a really easy to use interface (I’ve made mistakes modifying DNS in the past) and rock-solid reliability?

Tags: 123reg, dns, domains

Bust A Name

2007-08-20T15:40:01+00:00

Bust A Name

Smart Ajax powered domain search; you give it some words, it shows you available combinations. It’s still almost impossible to find something that doesn’t suck though.

Tags: ajax, bustaname, domains, rails

FreeYourID.com

2007-02-13T16:26:50+00:00

FreeYourID.com

A free .name domain for 90 days, with built-in tools for managing e-mail forwarding and your OpenID. Could do with some unobtrusive JavaScript, but they’re really fast at responding to suggestions.

Tags: domains, freeyourid, openid

Details of Google's Latest Security Hole

2007-01-14T13:36:59+00:00

Details of Google's Latest Security Hole

For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services.

Tags: domains, domainsecurity, google, security, xss

TBL on TLDs

2004-05-22T06:23:35+00:00

Tim Berners Lee (how many TLA celebrities is that now?): New Top Level Domains Considered Harmful. Read the whole thing - Tim blows the .xxx and .mobi proposals out of the water and takes a neat swipe at for-profit registrars in the process. Reading this, the main thing that struck me is how incredibly forward thinking TBL really is. People complain about the long duration of W3C processes and the futuristic nature of the semantic web but the W3C are trying to build technologies that will still be relevant ten or twenty years from now. When you consider the longevity of TCP/IP, this is a really smart strategy. It's a shame so many people involved with the web have trouble thinking past the next few months.

Tags: domains, tim-berners-lee, urls, w3c