In case this turned out to be misleading, I picked a random GoDaddy-hosted low-cost site (hometailer.com) and yep, there's the code:
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpbh'},{'server':'a2plvcpnl83247'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></sc...
GoDaddy is the Oracle of web hosting companies. I don’t understand their popularity, yet it seems to be going strong. Why is that? (Serious question, not rhetorical.)
Cheap .net packages, shitton of advertisement, constant discounts and offers, and more importantly they own the domain market.A lot of people buy domains from them and it doesn't take long to host something on that domain, so why not stick with them. Long story short, the power of convenience.
Although I have mixed feelings, I've switched all my domains to Google... the one down side to Google's domain management is there's no way to bulk edit contact information (when you move).
It's about as simple as it gets to add services, but Google's DNS is included (as opposed to GoDaddy's, which is slower) and I don't get pressured multiple times and have to click less obvious links to not choose other services. Privacy is included at cost, for TLDs that support the option.
What happens if you are locked out of your Google account? This can happen for some silly reasons and some times without recourse. Will you lose your domains, effectively ruining your business?
I have to say, google domains is about the only case where I have had responsiveness from google support. And it is a concern to me... I think that if google does such a thing it would be easy enough to demonstrate real damages in a lawsuit against google.
Sure you could probably win a lawsuit. However what about the lost business you will incur until the lawsuit is done and Google decides to follow the court order?
See the part about "real damages." In a case, as such you could demonstrate the impact and estimate ongoing damages as a result of googles (in)action. Given the offset in size and likely irresponsible nature the amount google would have to pay would include your damages, lawyer fees as well as additional punitive damages. This is how common law is supposed to work.
NOTE: I am not a lawyer, and this is not legal advice.
I was talking to my roommate, a non tech person, and asked her where she she got her domain, out of interest. She said GoDaddy. I let her know about their shittiness, but normal non I.T. people don't know enough to care.
It’s name recognition. Whenever I have to help a company, friend, or family that doesn’t really know “tech”, their domain is, without fail, hosted by GoDaddy.
This solution is for the 1% or the 0.1%, the vast majority who choose Linode are creating vulnerable servers because they are not going to competently keep the machine up to date on security patches or configure it properly for security.
Managed hosting is a requirement for the masses, and comparing a managed hosting service with a self-service VPS is a bit disingenuous IMO. Managed may seem more pricey, but that's only unless you don't value your own time as an administrator, or if your time isn't valuable (you're not good at it lol).
Parent comment is referring to software vulnerabilities running on the box itself, not vulnerabilities in your website. When Apache or whatever it is that you use to serve your static website comes out with a vulnerability that allows RCE as root, it becomes a problem for you, even if your website is static.
FWIW I use Namecheap / Linode myself, and will probably never go back to shared hosting. But the flip side of that coin is you do need to manage it, regardless of the website you are hosting.
> Parent comment is referring to software vulnerabilities running on the box itself, not vulnerabilities in your website. When Apache or whatever it is that you use to serve your static website comes out with a vulnerability that allows RCE as root
Or you can opt out of this mess and run a simple server. Not as root.
The update & maintenance treadmill can be slowed down to nearly a halt if you're ok using simple software that doesn't have a billion features and just as many bugs. Which, I suppose, someone running a static site would be quite willing to do.
I'm sure we all have fond memories of that time we sat our grandparents down when they wanted to make an anniversary site and explained to them how easy it was to run a simple server, after which they spun one up in a container and secured it no problem.
Little old grandma just loves ssh'ing into her pet server every day to read her system logs.
My grandmother's website for her small business was purchased via GoDaddy. This was before those commercials even started airing.
It's not a strawman at all. I am speaking from real experience, except for the part where my grandmother could tell you the difference between SSH and SSL.
Godaddy is not doing much more than auto-updating packages with security fixes. This is easily handled with most Linux VPSs (often automatically, in the case of DigitalOcean). I am pretty sure the Amazon Linux AMIs do this too on AWS EC2. And most other distros can turn this on once with one command.
I don't think GoDaddy is going much deeper than this, so security is a moot comparison between the two. In fact most sites are hacked at the application level anyway, not the system level. So the real security hole is not something on Linux, but the actual wordpress site thats installed within it. Food for thought: 83% of hacked websites in 2017 were Wordpress sites.
Source: https://sucuri.net/reports/2017-hacked-website-report
A lot of people recommending NameCheap in this thread.. it's worth noting that they supposedly gave a warning to a guy running a forum with millions of visitors that they would suspend his account if he didn't remove two images within 24 hours (https://news.ycombinator.com/item?id=14139288), and that they're dumping costumers private info (https://news.ycombinator.com/item?id=18063667). I'm guessing there are other horror stories as well, but those two alone (which to me sound credible) were enough reason to take my business elsewhere.
Hey, the same thing happened to me! They asked for my password during a livechat session, and i was like "what the hell".
Also, another time I was having problems with their stupid 2FA app (back when they ran their own app and it broke constantly), and their solution was to just disable the 2FA for my account. They said I can set it up again whenever I want to. So then I told the woman, that if someone wanted to hack into my account, they could just open a livechat and get my 2FA disabled and then log in, why should I even bother having 2FA at all if you're just going to disable it.
To be fair, they finally moved to a more traditional 2FA now, where you can use any 2FA app instead of their proprietary namecheap app. So they might not do this anymore. I think they were disabling 2FA back when they used their own app for it, because it was super buggy and people (like myself) would get locked out of our accounts for no reason other than their app was buggy.
seconded. been using this for years and works incredibly well - perfect also also as a secondary DNS.
Their UI hasn't always been the latest & greatest (but even here they came a long way in the past 2 years). their knowledgeable (and helpful) customer support really makes up for it.
I don't know the internals of the company but would assume that the people running it are still the same team who founded it and they really know networking & DNS inside-out. Refreshing in a time where financial and marketer types have taken over a lot of the decision making in tech or where you're in a customer support loop for ages and everything is handled by a bot.
Their “no upselling” policy has taken a bit of a nose dive these days with pestering about things. In an email I have with their CS they said it’s not upselling, but offering you things other customers have found useful... Yeah right... all it’s not as annoying as GoDaddy’s at least was (not used them in years) but you are still trying to upsell me; just ditch your no upsell policy :-p
I still have a few domains with them it I’ve been using namesilo lately after hearing about them here and no complaints. Well the only complaint I have of them is they don’t have the range of TLD’s as namecheap does (but it’s only a handful of TLDs such as .es)
I did, largely because they take security seriously, but CloudFlare domains isn't a registrar: You can't set the nameservers to whatever you want. It's a CloudFlare lock-in service.
The fact that you can't change the nameservers doesn't make them not a registrar. They absolutely are a registrar. Just one that doesn't let you change the nameservers.
But you know what? I'm okay with that. I honestly can't think of a scenario where I'd want to use any other nameservers.
> I honestly can't think of a scenario where I'd want to use any other nameservers.
What about the scenerio where you are thrown off of cloudflare service? A CDN is more inclined to ban sites to limit their own risks from litigious IP owners, etc, irregardless of who would win an actual court case.
The registry probably has rules on what they can do to customers that curtail them; they are probably not bound (ha!) to anything wrt serving DNS requests.
I'm saying why would you let a CDN be your registrar in what sounds like an abnormal registrar agreement. (If they block you from the CDN, what happens then?)
I believe the path for Krebs when under DDOS was free CF cloud to akamai to special status (from Google?) Using CF domains with or without CF's normal services turned on would have made akamai impossible until a transfer process to a real registrar completed leading to an extra week or so of downtime.
I was a huge fan of Namecheap, and I have like 25 clients using them.
But... I haven't been a fan of them lately.
I've got a password manager and 2FA on all my accounts, and I went to sign in. I kept getting an incorrect password response. Reset, tried again. Just kept getting the same error. Freaked me out as I couldn't sign in.
Fast forward, came to find out because I was on my company VPN they were blocking me. Rather than just show a message, "We don't accept users on a VPN..." they let me think my password was wrong and go through the panic of not being able to sign in. And, even thought they thought I was some sort of spammer / hacker for using a VPN, they were more than happy to discuss my sign in details over live chat.
I sort of get "security" here, but they shouldn't be heavy handed with just saying who can and can't sign in, and if you are going to block me, tell me why -- at least send an email letting me know what's up if you don't want to display a browser message. 2FA was enabled, at that point... just leave it up to the user where they want to sign in from, don't put in secret rules around who can and can't sign in.
Anyway, I moved everyone over to Amazon Route 53 and haven't had any more issues.
Unfortunately that's what many companies do. IIRC, this includes connecting with OVH ips to mojang (minecraft) login servers. It's becoming a popular practice that is not good in UX terms at all
Sounds like a great practice. You don't let the spammer know they're found out, and if you call customer support about it they are able to tell you what's wrong after you've verified extra info. Would you rather they give hackers access to lock you out or unlimited access to keep trying?
Security by obscurity is none at all, the customer/hacker can call up and provide information/pretext no problem - plus the information is available on public sources (such as this one) on why the issue occurs - a smart enough attacker can just use other proxies until it finds one you didnt ban, whereas legit users are probably SOL.
Blocking known source of brute force attempts and attacks is not security by obscurity and it should be a mandatory practice.
Run a website of any importance and you will quickly be shocked at the amount of malicious traffic that keep coming from Tor/DigitalOcean/VPN/openproxy and a few other sources.
Just to clarify something, I was a legitimate user with a strong password (100 character) and 2FA enabled.
And they blocked me.
They didn't tell me why, I figured it out on my own inadvertently.
I wasn't on a junky free VPN, I was on a corporate VPN service.
And I was blocked, worse I was given false information about my password being incorrect... and worse still, given that they assumed someone was trying to enter a fake password, they never emailed me to let me know -- I had to contact them.
Plenty of legit reasons for someone to use a VPN. I'm relatively certain nobody from the telco in Australia who set up the VPN had been trying to hack Namecheap, looks more just like someone found a way to classify that IP as a VPN and blocked it.
And look, to put the nail in the coffin, they were more that willing to tell me the email address to check for the reset password via live chat.
Anyway I tend to be the guy harping about security, but when they start banning VPNs just for being a VPN I don't think that's secure, I think it's obnoxious. We should encourage people to use VPNs, not make it annoying for them.
Proper procedure would be to let the bad guy try, block the IP (or better yet, browser finger print), let them know why they were blocked (in case they aren't a bad guy), and (if the owner didn't have 2FA) send the owner an email saying someone was trying to get access but wasn't successful.
For users with 2FA, all you'd ever really have to do is send an email to the owner, and / or access distribution list, letting them know when a certain user signed in. I wish more people offered this service, getting access notifications when any admin signed in would be key for helping me figure out what task broke something if I have to go fix it.
I have had so many problems with 2FA and Namecheap. I use 2FA on any service that will let me. Needless to say, I am very confident in using it. All my 2FA are set up in my Authy app, and i use it many times a day without issue.
But then comes namecheap. They are literally the only service on the internet where I will get locked out with 2FA. It will keep claiming it is the wrong password, when I know its not. I don't ever have a problem with any other online service, but the 2FA on namecheap is a constant problem.
I have been locked out on Namecheap for no reason now 5+ times that I have now just turned it off.
Now that I read your comment, I wonder if I have the same problem. I am sometimes logged in via VPN and I wonder now if that is why it was rejecting me. Its frustrating because i know the password is correct and the app is set up correctly, but it will keep claiming I have the wrong password. Like i said, I now just have it turned off, because I am terrified of losing access to my domains. But I am also terrified of not having 2FA protecting my domains. So its made me consider transferring elsewhere.
I also considered just using Amazon. Most of my domains are already using Route53 as a premium DNS instead of relying on Namecheap as a DNS anyway. So I am considering just having them be the registrar too.
I've been trying to move away from Network Solutions (now web dot com) for years and NameCheap was the closest to a halfway decent registrar I could find. That said, I don't like them or any of the other registrars. Most of the registrars have been bought up and their backend wrapped with some other companies junk UX. I also tried name dot com. They don't even have the capability to set apex DNS names as NS records. Black Knight closed my account with no reason at all. The only halfway decent registrar is Mark Monitor and they are too expensive for my hobby sites. I always move corporate DNS and Cert management to Mark Monitor, but for personal use, all the popular registrars are just garbage, in my strong jaded opinion. MM is just a reseller of certs and they don't even offer all the capabilities of the vendors they resell.
I am purposefully staying away from AWS. They are super popular right now and developer friendly, but I know how their business operates and that popularity will subside in a few years. I predict many of their users will feel betrayed at some point in the future after enough people have moved to their DNS.
This is quite ironic because I used to work in the security team at GoDaddy, writing tools to scan and clean websites infected with malicious code injected the same way. To find out that the company is using the same technique (for something less malicious?) is very surprising to me. I guess they never asked for a review of this feature to the security team, otherwise I doubt they would have approved it.
It's not unheard of. Some platforms offer New Relic RUM integration which breaks shit (like XML sitemaps).
I am guessing the hosting provider gets access to the information the client also gets, but that's just a guess without any evidence. It would just make sense in the absence of regulation.
This is something absolutely unthinkable in our company. However, we have heard of other providers using similar tactics in the past, so always do your research before trusting a provider with your website.
It's very common with features like A/B testing, analytics, advertising and CDN.
This should be inserted by the customer instead of filtering traffic, but not necessarily. It's very user friendly to only have a button to turn something on or off.
It’s pretty surprising to me that they could ship a feature like that without an enforced review by security and probably several other teams (legal and pr come to mind immediately).
The very notion that GoDaddy could be in a position to "clean" websites of malicious code is--what's the word?--stupefying? profoundly unsettling? mystifying?
If a customer’s website is being hosted in a shared account, the infection will quickly spread across the other websites in the same server unless the hosting provider takes the matter in their own hands. Years ago, it was common to simply suspend the infected website until the webmaster finished the cleanup by themselves. Nowadays, instead of suspending a website for a minor infection, some hosting providers simply clean the malicious code automatically, or offer a premium cleanup service if the infection is more complex.
> If a customer’s website is being hosted in a shared account, the infection will quickly spread across the other websites in the same server unless the hosting provider takes the matter in their own hands.
Not at any professional hosting service. It's not hard to secure the environment so that it'll take a classier attack than guessing somebody's WP login to get access to any other sites on the host.
The actual problem for hosting services is that compromised sites can be used to annoy visitors or other hosting services.
edit: okay, I don't care about the points, but I'm getting really curious why people disagree with this.
I agree. If it's possible for the infection to "spread across the other websites in the same server", then that implies that clients can access and modify each other's files, which is not the case with any shared hosting provider I've heard of.
What is more plausible is malicious server-side code eating up server resources, and that load impacting the websites of other customers, but that has its own solutions which are different from automated detection of malicious JavaScript code.
Most of the compromises I've dealt with over the years fall into just a handful of categories:
1. Data theft. So, ripping off a database or intercepting credentials while people log in.
2. Embed a link into page output which will try to download something from somewhere somehow. It might be phishing, or (usually) it's some kind of JS trying to infect the user with malware. Lazy attacks work by just popping up a convincing-enough warning message with a link that lets the user download the malware themselves, and it's effective enough.
3. Credit card theft. Using a third party service with iframes makes this harder, but not impossible.
4. Dropping some kind of web-based shell, like C99.
#1 doesn't get anybody to care. If that's all that ever happened, I'm pretty sure shared hosting providers would still be saying, "sucks to be you." #3 causes headaches for the site owner and makes them care, but still not the hosting provider.
#2 got the hosting providers' attention once Google launched Safe Browsing. Suddenly this put some of the responsibility for maintaining a safe network back onto the hosting providers. Their first solution was to just shut down sites discovered to have malicious code, but that really irritated the customers. So gradually hosting providers started trying to be a little more helpful.
#4 is a big headache for hosting providers, because those things don't get picked up automatically by Google, and the shells can be used to irritate other hosting providers, who will definitely start lodging complaints with whoever's upstream of the hosting provider.
Not on this list is, "try to infect other sites on the same server", because shared hosting environments have had easy access to a variety of tools for a long time now that prevents that. In a LAMP environment, that used to include SuexecUserGroup; more modern LAMP environments now use php-fpm and have PHP processes running from distinct unprivileged user accounts. There's also the usual php.ini values, like open_basedir, which limit access to the filesystem or to other PHP functions (allow_url_fopen).
I won't say it's impossible for an infected site to attack another site on the same server in a shared hosting context, but you'll need a get-out-of-jail card and those are harder to come by.
No professional shared host would allow one site to access or modify another site on the same server.
It's not normally the default, but there's a world of bad advice out there telling people to chmod everything to 777 so that their PHP CMS can upload files.
The situation with default file permissions is already terrible enough that no host should ever have o+x on home directories. And once you remove that, it doesn't matter if everything inside is 777.
Most hosting providers don't want to host malware, as it's against their terms. Instead of banning an account, trying to identify affected customers proactively sounds reasonable. Injecting your own code in their site does not.
It's honestly a smart thing for shared hosting providers to offer. Some years ago my co took over a bunch of legacy sites from another developer that were not tightly maintained Wordpress. We hosted the sites at the time at Rackspace Cloud Sites. The main reason we chose their antiquated hosting tier was that Rackspace support would handle infection cleanup when it happened.
It would take us time to assess everything and do up contracts for bring-up with these sites. Everything from old revslider and timthumb to more exotic infections. Once you got a file injection or reverse shell on a host, it would spread fast to everything on the server. Only way reliably back was catching when it came in and rolling it back to before then upgrading the vulnerable components.
"If a customer’s website is being hosted in a shared account, the infection will quickly spread across the other websites"
Hmm Shouldn't my hosting provider provide better isolation and separation from the bad accounts?
I work in a datacenter, and can confirm this exact setup is still quite common even recently. We used to offer our own shared hosting setup. Even though we've moved away from that service model and generally only support Cloud / Dedicated hardware, several of our customers do exactly that, leasing out our hardware and acting as a reseller for shared hosting services, sometimes using Plesk or another turnkey control panel, other times using their custom in-house software.
Unfortunately, shared hosting comes with all the risks described: if just one site on the server gets infected, everything else co-hosted on the box feels the effects, especially when the infection is something resource intensive like a cryptominer, or sends out spam emails en masse and gets the physical box on a blacklist. From an infrastructure standpoint we can only do so much; keeping the OS patched and up to date helps to curb the really nasty infections, but the reseller plays whack-a-mole with their customers, detecting infections and shutting domains down as needed.
It's a bit of a mess really. At the same time though, the economies of scale really seem to favor shared hosting from a pure cost perspective, especially for very small businesses that can't otherwise afford a technical team to manage a VPS. So, I think that market is always going to be there.
especially for very small businesses that can't otherwise afford a technical team to manage a VPS.
I’m way out of my area of expertise here. But from a management perspective, when it comes to managing a lot of VPS’s for something like WordPress, is there a simple service where the underlying OS and plug ins stay patched by the provider? I guess something like Elastic Beanstalk but simpler.
I guess there may be hosting providers that are that insecure, but I doubt it.
There are many ways you can secure and isolate the users. SuExec, grsecurity, strict security policies, 24/7 monitoring are just some of the things a reputable hosting provider would have.
Not to mention that in several cases, the managed service is run with Windows Server (think managed .asp hosting, or using a Windows-only middleware). So you have to tack on the extra resources for a Windows machine and the license costs.
Funny story (but not the ah-ah funny kind): such a service (hosting different customers on the same Windows machine) was still running in my previous company as of 4-5 years ago. They had long moved from physical hosts to VM, but were stuck with the legacy CMS/control panel which was more or less unpatchable (as in, the software editor didn’t exist anymore). About once a week, one of the host VMs would be taken over by hackers using one exploit or another. In that case they would kill the VM, boot a fresh one from a clean image, and start serving the customer data again after making sure it was clean. The service was not sold anymore but they had long-running customer contracts. It wasn’t making enough money to justify rebuilding it with modern software, but it was making enough that simply killing it wasn’t an option.
I was exclusively a Windows developer for 20 years - using Windows as a development and deployment platform. The cost of Windows in terms of licensing and resource was someone else’s problem.
It wasn’t until I started architecting and developing in cloud environments that the true cost of Windows became apparent - when the cost of every project I do can more or less be directly tied to me.
I still development on Windows but I found an appreciation for deploying to Linux.
Don’t get me wrong, I’m not new to the field and in hindsight it makes perfect sense, but back then, I worked for corporations that hosted their own servers and never needed to host a site for a personal/small company.
By the time I got to the point where I would think about doing something on my own, VPS hosting was so cheap, I wouldn’t have thought about anything besides a VPS like Linode.
None of this is true. VPSes have existed since the early 2000s and have been in common use since the mid 2000s; Linode was founded in 2003, for instance. Shared hosting was popular because it cost pennies, whereas VPSes would run you $30+/mo, which of course is more like $5+/mo now.
Linode's kind of expensive. I've been using VPSDime [1] for a few years, since they give us 6 GB of RAM for $7 a month. For smaller stuff, I've been happy with RamNode [2], which is $3.50 a month for 1 GB of RAM. And you can usually find good deals on Low End Box [3]. Of course, at those price points, everything is OpenVZ, which is kind of annoying.
The vast majority of Wordpress deployed in the world (and there's a lot more of it in general than we tend to see in the high tech community) exists on a WHM server, which basically deploys an Apache vhost for every site.
There's a thing called Cloudlinux, which is an additional licensed feature that provides resource fencing, but its a lot less capable than advertised ime.
Moreover, many end users rush to chmod 777 their installation because there's a lot of guides out there telling them to do so. There are also highly rated Wordpress plugins that do this silently because developers read those guides.
If someone takes control of their website and puts malicious stuff on there, GoDaddy being able to ask the customer “Hey, did you mean to do that?” and helping them roll it back is handy.
A lot of SQL injections are malicious ad scripts that will be named the same on each hack. It would be pretty easy to remove something like that as it passes back through Godaddy's router. I would hope they notify the website owner because otherwise you wouldn't know that you have a problem.
When faced with egregious business practices the best option is to switch company. What guarantees do we have that GoDaddy won't toggle the switch back at some point, or introduce other trackers?
There are plenty of website hosting solutions out there.
While at it, switch your domain registrar to a reputable one like https://www.gandi.net/
Yep, and tons of others. And, it seems, they all require the feature to transfer providers. Consumers have the upper hand and should take advantage of it. I guess it requires awareness, though.
Gandi might be great for common domain suffixes, but their support for country-specific domains is poor, they just don't offer that many. If you're not in the U.S. it can be frustrating.
I think it's pretty unfortunate that even now, CSPs are getting so little love in the comments of a post where they would have easily prevented this script from loaded at all, and could have helped the author discover the script the second it was added.
For the unitiated, Content Security Policies (CSP) allow you to, among other things, define a whitelist of origins for things like scripts, css etc. and also notify you of violations. There is little excuse to not set a strong CSP on your sites if you can and you'll be glad you have it once something does happen.
> There is little excuse to not set a strong CSP on your sites
Can't use CSP if you want any ads on your page usually. If anyone here knows an ad provider that plays nice with CSP and pays okay then please do let me know, I'd love to securely monetize a few webapps of mine.
How would a CSP have helped here? GoDaddy injects that additional script tag right into the HTML file it serves. No policy will help if the web server does not serve what you uploaded.
That's not true. CSP can have a specific host/path for scripts and won't even run JS in the page without explicitly opting in to 'unsafe-inline'. It's an important prevention technique against XSS for pages showing user generated content.
My point is that if GoDaddy modifies the HTTP body, they could as well modify the CSP you send in the HTTP header. It is yet another stop-gap, but the real solution is to get a hoster you can trust.
The document ($PAGE + $NEW_JS_SCRIPT) is a new, different work. I doubt the added Javascript is a large enough change to be considered "transformative" and worthy of a separate copyright. The new work isn't a fair use of the original work, because it doesn't meet the statutory requirements[1]: 1) isn't a protected use (education, journalism, criticism, etc), 2) the original work is usually creative and (patently) published, and 3) the entire original work was included. Since the Javascript was added without without consent (or even any notification), we can assume GoDaddy hasn't negotiated with the original authors for a license to made derivative works.
Therefor this is probably a violation of copyright. Does anybody using GoDaddy for hosting want to sue GoDaddy? Statutory damages up[2] to $150,000 per work adds up fast.
Sadly, I think they have their ass covered in their TOS, under "User Content Other Than User Submissions": "You hereby grant GoDaddy a worldwide, non-exclusive, royalty-free, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, combine with other works, display, and perform your User Content in connection with this Site, the Services and GoDaddy’s (and GoDaddy’s affiliates’) business(es), including without limitation for promoting and redistributing all or part of this Site in any media formats and through any media channels without restrictions of any kind and without payment or other consideration of any kind, or permission or notification, to you or any third party."
While you’re at it, why not sue for emotional distress? Or lost income for the time reading this instead of billing clients?
I’m all for GoDaddy being held responsible but advocating this kind of copyright abuse is as ridiculous as it is scary. Are we going to start suing CDN’s for setting custom HTTP headers now?
Why are you using godaddy in the first place? It's not like they aren't universally reviled for many good reasons. You deserve what you get for not educating yourself about what a terrible company they are and voting with your feet.
You might as well be complaining that you're surprised Larry Ellison isn't looking out for your best interests, David Miscavige tried to brainwash you, Donald Trump didn't tell you the truth, and Rick James ground his muddy cowboy boots all over your suede couch.
I don't think victims ever "deserve what they get". Yes, he's responsible for the outcome. But outfits like GoDaddy exist because they're good enough at advertising and PR to fool the novice. People can't be experts in everything.
Blame should stick to the bad actor, not the people they sucker.
>But you don't have to be an expert to conduct a web search.
And if you don't know how to conduct a web search, you shouldn't be building a web site.
>... placing just a little blame on the people who don't engage in even the bare minimum of research
And GoDaddy's uncritical customers tend to be the kind of people who are easily influenced instead of permanently repelled by the kind of commercials GoDaddy is infamous for running.
Yet all my pages were being served with the following <script> injected into them just before the closing </html> tag...
The free hosts I used many years ago would do something similar, with no way to opt out --- that is, until I figured out they were just detecting the '</html>' and inserting before it.
Combine that knowledge with the fact that the closing tag of the HTML element is optional, and you can guess what I did pretty easily. ;-)
I remember those times. They were beautiful. I could spent hours trying to search for the best free webhosting that includes PHP, MySQL and Phpmyadmin, and didnt fill my website with popups or banners at the top/bottom of the webpage.
Some hosts didn't even bother with this. I used a PHP host who ran another script after serving the hosted one, but it you used `die()` you could skip any other fluff they included.
There are at least three places where you can get injected, one is from the ISP (including phone company networks), one is from the hosting provider, and one is from add-ons in the browser.
One of the first Java applets I wrote (and you could easily do this in js) did a hash over the document page and reported if the hash didn't match the one stored in the applet. These days you could throw up an other wise invisible div that said "Page Tampered" please report to webmaster (or you could even do that yourself with a lookup on your hosted side to a script that would log IP/browser etc.
These days you could throw up an other wise invisible div that said "Page Tampered" please report to webmaster (or you could even do that yourself with a lookup on your hosted side to a script that would log IP/browser etc.
I've already encountered pages like that, they piss off everyone who uses adblocking/filtering so I would consider it an anti-user technique.
> There are at least three places where you can get injected, one is from the ISP
I'm not sure if they still do it, but Vodafone in my country (and many others) used to cache and compress photos on all websites, which often led to visible degradation in image quality. Luckily I discovered that their software respected the `Cache-Control: no-transform` header so include that header on all my websites now.
Hey everyone, Krishna here, I’m on the hosting team here at GoDaddy. There are some excellent points in this thread. I wanted to give a little bit of background about GoDaddy’s use of Real User Metrics (RUM) and our plan regarding its use moving forward.
A little more than a year ago, we created a RUM javascript for our customers. The javascript is extremely lightweight and evaluates hosting performance only. We did this to create a better hosting environment for our customers. We rolled this out to a small subset of customers.
As the RUM proved very beneficial in optimizing our hosting platform for our customers, we decided to roll it out to a wider audience. That said, we clearly could have better communicated this program.
Based on all the feedback, we have decided to turn off the RUM javascript immediately and focus on designing the program so that customer participation is on an opt-in only basis. While the RUM data is beneficial in helping us improve our customers’ website performance, we regret that the implementation has upset many of our customers and we apologize for any inconvenience this has caused.
Narasimha Krishnakumar
VP of Product Management - Hosting
GoDaddy
We are not perfect and should have thought through this more. We created the script to be as non-intrusive and lightweight as possible. The number of incidents we saw were so minimal, we kept moving. We’ve obviously learned a lot from this and it will be 100% opt-in when we reintroduce it later.
I thought that would be good enough, I went with WebFaction. But it seems they recently merged with GoDaddy, so even though I explicitly avoided them it turned out I didn't.
I'll mention FutureQuest. I've been with them for 20 years now. I'm certain they're not the cheapest, and I'm aware their website looks a decade or more out of date. But I've been extremely happy with them, they definitely wouldn't do something like GoDaddy did. They started as a small family business, and while they've grown a bit since then, many of the staff are still there. My occasional customer support emails still get answered by familiar names.
Since they're not the cheapest, I throw my experimental projects up on DreamHost, but my mission critical stuff is on FutureQuest.
There are many decent alternatives. From the above, I have used all but Google and Cloudflare. My experience has been pleasant with all that I have used.
I've been very happy with Google's registrar service... the only down side is you cannot bulk edit contacts. The couple times I've needed support they've been available within a couple minutes (once by phone, twice in browser chat). Not like any other Google support issue. Some prices are a little more than GoDaddy, others a little less, that part was pretty much a wash.
The biggest advantage over Google's registrar service, is there's no upsell, at least not that I noticed. They do offer some integrated service options. The included google dns hosting and mail forwarding services are great imho. It could use some slight improvements in UI/UX, but still better than any other registrar I've tried by a large margin.
Mileage may vary, of course, but I really do like the service overall. I'm not affiliated with Google, don't always like everything they do, and do have some reservations about them as a company. That said, imho the best registrar option available.
Lol. Every company you listed gets blasted all the time here on HN.
I normally don't like qoutes but i think the Batman one fits well here with how people perceive companies: 'You Either Die A Hero, Or You Live Long Enough To See Yourself Become The Villain'
It seems that from the start the point was to share novelty domains, i.e. letting other people make subdomains off your domain is the point, and the rest of it kind of grew out from there.
josh the webmaster at freedns is a really great guy. and they are very much into the golden rule philosophy. note also that it is trivial to change subdomains, and you can make your parent domain public, or private.
Their marketing is effective at convincing small business owners they're one of the best choices for hosting. That's pretty much the whole reason they're so successful.
This has convinced me to take precautions. I am adding some logic to my site that if there are more than two script tags (I only have 2) replace body content with error text and send an xhr notification back to the server so that the server will know their pages are compromised
It’s as simple as document.getElementsByTagName(“script”).length
You could do this much easier and better with a Content-Security-Policy. Whitelist the things you want to allow, and set a report-uri to get notified of any CSP violations.
What about those plugins that the user chose and add a script tag? While they should be becoming less common (since I read it's a bad practice), they are still out there.
Hopefully. The alternative (silently alert and hope I pick up the phone) might not be so bad for users if a hosting provider is running analytics or ads, but from a detect-and-alert perspective it's pretty hard to tell the difference between a scummy-hosting-provider script and a credential-scraping bonafide hack. Many people (or robots) who install the latter aren't smart enough to defeat alerting measures, so it's a big benefit if those measures warn the users directly.
I remember when I first bought a domain from them. I guess I fell for the marketing witchcraft, they advertised the domain for a lower price than what I ultimately paid, once I heard about Namecheap I went there and never looked back. My other problem was that their domain management interface was soooo slooooow, it got to me. This was in about 2008, but I rather not fall for their overpriced domains.
Edit: My other pet peeve was that they supported SOPA when that whole mess was ongoing. I can't trust them at all since.
Second Google Domains; I use it for my website because they are cheap, no-frills, and have never tried to upsell me on anything. Sure, it's Google, so it might shut down tomorrow, but the domain registration market is large enough that I could probably just move.
You shouldn't trust Namecheap either. Just because nothing happened to your domain, doesn't mean when it does Namecheap will help. I had numerous issues over the years including someone being real jerk over their chat and just because of their rudeness and knowing my email and full name, was able to took over my account.
We've used Namecheap for 7 years and have had no problems you mention at all and, needing tech help from them only twice, found them extremely helpful and friendly.
I've been very happy with Namecheap. I moved all my domains to them year that Godaddy did some bad shit (off the top of my head, they supported SOPA and the CEO Bob Parsons slaughtered an elephant in Zimbabwe for sport).
Well Namecheap is not much better... they are US corporation but CEO is fine to hire people wherever is the cheapest labor to serve american customers.
Besides, he sounds super unprofessional to me; 7 months ago he was sparing with me because he chose to be blind who is #2 top registrar [1]. He suppose to know this shit as a CEO, no?
A website that hasn't been gratuitously since 2010 is almost a positive sign for a registrar, especially if you only want them to shuffle around paperwork and not managing day-to-day technical aspects of the domain.
Since people are recommending alternatives, take a look at Netlify. It's my new favorite thing.
For me GoDaddy is like a client test. If they are using something else for hosting, plus one point to them. If they use GoDaddy for hosting, minus ten points. If you can't convince them to move away from GoDaddy, you probably want to replace that client if possible with a more reasonable or less cheapskate one.
Also I believe that https would prevent injections.
Nobody should ever use godaddy for a domain registrar or hosting services. Ever inherited a domain that was with them, and had to renew it? The sheer amount of unsolicited add-on offers you have to reject before successfully completing a payment for domain renewal is ridiculous.
There's a reason why companies like namecheap which market themselves on "no bullshit" registrar services are popular these days.
I've been buying exclusively from Domai.nr for the last five years now, and I only ever login to buy a new one, or change payment details--which ends up with me rarely having to login. Years ago when I was with GoDaddy and starting my time on the web, it was daily, I knew some of their support people by voice.
As far as "no bullshit" registrars, Domai.nr has been short of incredible.
Thought I'd share the option if anyone is looking to migrate and at least wants options on the table to think about, along with namecheap.
Sigh. It’s crap like this that will eventually force me to leave WebFaction (that GoDaddy acquired), after a decade of excellent service. I never touched GoDaddy, but it looks like the plague comes to you these days.
This. WebFaction, in my eyes, is as good as shared hosting can get. Built an entire company on top of its robustness & trustworthiness. I was beyond dismayed when I heard the news of the acquisition (sorry, "partnership") and every time the GoDaddy integration is mentioned I go surveying the alternatives.
Not really - the market has moved on to PaaS, a reliable shared-hosting-cum-shell with a Python slant is not easy to come by.
I’ll probably go with an OpenBSD vps somewhere, praying not to get hacked, plus Heroku for when I really can’t be arsed to look after a service. Quite a pain in the ass, though. At least my domains are already on Gandi...
I recently went looking for a registrar and one of the must-haves was U2F. Only Amazon and Google had it. Didn't know that Gandi has it as well. Good to know!
PS: I was disappointed that Cloudflare still doesn't have a U2F support yet they are a part of critical infrastructure for much of the web. We ended up not using them because of that.
I've had good luck with Gandi in the past for SSL certificates, and their U2F support makes me inclined to choose them as my new registrar.
On the other hand, I've heard less than great things about Gandi's reliability and support lately. If you've had to contact their support team, what's your experience been like?
I've never had to contact support, which might be a good thing. Although I did leave them for a while and am in the process of moving my domains to them.
The GDPR lets you set as much cookies as you want. They are mostly an irrelevant implementation detail.
The GDPR will however care that your traffic passes through GoDaddy, no matter if they set cookies or not. To be more precise, the GDPR will consider GoDaddy a processor of your data and you as a controller will need a proof from all your processors that they process data in a GDPR compliant way.
In practice, most european web hosting companies set up a web page somewhere that gives you this proof, and will,for a small payment, give you a signed, printed copy of this page. For most small to medium sites, either option will do.
While this seems pretty terrible in general. The GDPR is generally irrelevant. A large amount of websites will never need to even think about GDPR. If anything there is an over reaction complying to a law that will never be applicable.
GDPR matters to the EU. It doesn't apply elsewhere.
I'm sure it matters to you, but as a rule it doesn't apply to you if you reside outside the EEA.
It applies to "an enterprise established in the EEA or—regardless of its location and the data subjects' citizenship—that is processing the personal information of data subjects inside the EEA" (emphasis mine, text from Wikipedia)
This is the actual text of Article 3 of the Directive. Check point 2. It applies to (for example) an e-commerce in the USA if selling to somebody in the EU or to a
USA company doing behavioral tracking if tracking somebody in the EU. In both cases, even if they are not EU citizens. Only the location matters.
Territorial scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Sure, they're trying to broaden the scope as far as they can. But is it enforceable outside the EEA? I'd love to see a U.S. court do anything but throw out a GDPR case or a European court's ruling based on the GDPR.
GDPR applies to any company with a significant prescene in the EU. I think it's hard to believe GoDaddy doesn't. They sell large number of domains with EU based TLDs. They've even bought EU based hosting companies.
GDPR doesn't apply to companies that only have a tiny portion of EU customers. Good examples would be: small local news, US only shops. (K-Mart, gun shops, etc)
GDPR being an EU law doesn't matter so much when there are so many treaties allowing fines to be forced. This means not being in the EU just makes it more expensive to deal with.
I'm guessing this is some shared hosting solution where you don't have a lot of control or ability to add things like LetsEncrypt (but I'm sure GoDaddy will sell you their SSL offerings).
I noticed some of my sites getting Vodaphone banners when using Ireland/UK sim cards and realize they were injecting crap into my site. That really helped me make the push to use LetsEncrypt on everything.
I realize that 3rd party Wi-Fi/ISPs injecting code is a slightly different issue that the one in the article, but the solution is running SSL everywhere. If you need to login to a captive portal that redirects, there's always neverssl.com
I’ve followed HN for around 10 years now but even basic stuff like this can come across as jazz to me. Funny thing is I understand jazz at a professional level. I feel foolish because I use godaddy, because they have good customer service and their interface is easy to understand but as a HN lurker I want to have good web etiquette. I’m going to see about turning this feature off in the way the author describes but what can I do to stay clear of the Kenny Gs of tech? Full disclaimer I have nothing against Kenny G, and even respect him, just one of those jazz expressions...
Companies that do this kind of garbage don't deserve your dollars. Its not enough to apologise after the fact, or offer opt-out, or any other half measures. I'm moving my domains over to someone else this week because of this.
Apparently my ISP (Cox) injects stuff as well? I've never seen this message before, but just now stumbled on it for the first time -- have been with them for 5+ years now, first time I've seen this message though.
Aside from the cap topic, it's outrageous to me that they find it OK to alter/inject into HTTP responses like this. Send me an email, sure -- but to alter responses?!
This is an issue with many, especially mobile, carriers... the key is to use HTTPS everywhere, and send issues/requests to sites not HTTPS to switch. Let's Encrypt removes the last reason why a site shouldn't be all HTTPS.
Note: fixing redirect rules for logins on some sites is a significant PITA, but should be adjusted accordingly by now anyway.
Just to be clear, this is a different kind of injection. Yours is at the visitor end (the ISP modifies the page while delivering it) while the original is at the server end (GoDaddy modifies the page while serving it).
I see a lot of mentions of Namecheap in these comments, but I recently discovered another option on tld-list[1]: Porkbun[2]. I don't need much out of a registrar, so price is the main consideration, and Porkbun's renewal prices are significantly cheaper ($8.70 for a .com, versus $13.16 on Namecheap).
I would consider using Cloudflare's new at-cost registrar service[3] for everything, but they don't allow you to use non-Cloudflare nameservers.
I've also experienced strange issues with logging in to Namecheap. From what I remember, I kept getting a server error message. Sometimes it happened after submitting my password, and sometimes it happened after submitting my 2FA code. Customer support couldn't help, and the issue went away the next day.
I originally built a service to detect exactly this kind of large-scale injection of content and similar occurrences (e.g. library prevalence etc). This is a perfect example of how to find the GoDaddy injected content: https://urlscan.io/search/#%22tcc_l.combined.1.0.6.min.js%22
Another provider I found doing something similar is 000WebHost: https://urlscan.io/search/#filename%3A000webhost They "just" inject a footer with an image and a link to their service though. Not sure how common this is in the low-cost hosting space.
It's not surprising that this PSU like every other in India is being destroyed from the inside, and is well on its way into the mouths of the private vulture funds.
I read the code gist that someone else posted earlier...can someone explain to me exactly why this is gross in the first place?
I can easily imagine a scenario where someone innocently added this code with good intentions (i.e. purely for performance data that sites can use) as opposed to being evil. It may be the case that there wasn't enough internal review of the code in question, and that's all. Also you have the ability to opt out...
It's cheap and it's a big company. They are basically the Walmart of domain registration. Out of having to deal with something like 40 or 50 registrars and resellers over the years I give them a slightly above average rating. Really, for all the bashing this thread people are giving there are far worse. They aren't great, but things will probably work with them.
I'll talk about alternatives now. Yeah, I know Gandi is cool, but they want too much money so majority of people pass them by.
If you want a really horrid example: 1and1 is a company that sets the bar. They buy up superbowl and print ads to lure in old people with cheap domain registrations (like $1 or so). Once sucked in they use a careful reading of the ICANN regulations to maximize difficulty in doing anything.
Oh, you want a transfer? That's going to be a week. Most things either go over the phone or through a panel that's down or nonfunctional half of the time.
Want to change nameserver delegation to your own DNS servers? Fuck you then. They wipe the current DNS records and process the change in a couple days. Your site can take a vacation.
Now, I hear a lot of people saying Namecheap is a good choice. They are ok, we recommend them but their panel likes to shit the bed and it can take hours to push DNS updates when things aren't running great there. They finally got off being an ENOM reseller, which is great. ENOM are assholes. I had a client that hired an ENOM reseller some time ago to register their domain and host their site. The reseller's company's owner got arrested and/or deported and while we were able to save the client's files the domain expired with no way for us to renew it. The good news is you can gripe up the chain to ENOM which will require a 5 year domain registration for $200.
That's it in a nutshell. They are a large company which has a service that mostly works for a cheaper price than arguably better options like Gandi.
Shout out to other terrible registrars like Yahoo Small Business (ugh)
"Now, I hear a lot of people saying Namecheap is a good choice. They are ok, we recommend them but their panel likes to shit the bed and it can take hours to push DNS updates when things aren't running great there."
You misunderstand. It very much should be pushed and updated at authoritative DNS servers within minutes. I'm aware of ISP and local DNS caches and this is not what I'm talking about.
You can query the authoritative DNS servers for any domain using dig.
Other issues with Google aside, their registrar service has been great. I have 2FA on my google login and the domain services are pretty nice all around. No upsell, some integrated service options (close to one-click). Included Google DNS service and free mail forwarding.
NOTE: I use the free mail forwarding so I can continue using some very old email addresses.
I've been a Google Suite reseller long enough to know not to trust Google with anything critical that can go wrong. I would imagine that when things go wrong there, the only recourse would be to blog, complain here, and no doubt file some sort of appeal to ICANN involving paying $1000 or so and having a month of downtime.
As bad as the ENOM example is, at least I don't have to spend a week hammering the same dude on a certain subcontinent that has no escalation path.
GoDaddy has crazy marketing and dominate search results in that regard.
They bait and switch their customers into buying a really cheap domain for the first year and then rake up the price for subsequent years.
It's annoying for businesses to switch everything over to a new provider, especially not so technical people that don't want downtime, so they eat the cost.
GoDaddy alternatives which aren't shady are:
Namecheap
iwantmyname
AWS Route53 Domains
Google Domains (wouldn't be surprised if they kill this service though)
"Namecheap" used to be my fav but their backed is totally unreliable and broken.. At times when you add a new item to your domain (say mail) its not uncommon for the DNS settings to reset ! Happend to me twice.
Also lost my DNS settings for another domain after i "browsed" their backend !
Yes, I moved some stuff from Hover to iwantmyname because they don’t abstract anything important and there’s no clutter. Hover isn’t bad, but I was looking for something even more geek-appealing!
People keep talking about domain registrations and competitors in this area, but the majority of GoDaddy customers don't know what means. The majority of competitors in the shared hosting space are part of the EIG conglomerate, which is largely more of the same.
All the options we might call "better", including deploying a static site to Netlify or GH Pages, using a cheap VPS or a complex AWS deployment, aren't actually options for the people buying these services, who expect a one click Wordpress deployment.
Google domains has close to 1-click integration with Google Docs for the mail side, and Wordpress via bluehost integration.
I've been VERY happy with them. Hadn't been on their main app in a while and it looks like they've improved the UX a bit. I do have gdocs on one of my domains, but probably will drop it. Otherwise I'm externally hosting a few things. I am also making use of the mail forwarding options for addresses on a couple of said domains.
Pair Domains takes my money and provides me exactly what they advertise. The only issue I've had is that their DNS service doesn't have all the record types I want, so I use CloudFlare for that.
Injecting is misleading, why don't people just use Amazon, is it just too much work or is shared hosting that much cheaper including cost of maintenance?
probably should be a ask hn, but in 2019 isn't there a ready to go docker image or something that allows you to be your own webhost. Isn't it weird that we still pay for someone to run an apache instance for us on the web?
1) You need an ISP which allows this (opening ports 80 and 443), or that allows hosting more generally.
2) It is probably not a good idea to have people manage webservers without in-depth security and server knowledge.
3) You still have to arrange DNS-hosting.
4) Webhosting can be a lot of things, e.g. database hosting, http website hosting, email hosting, etc...
5) When hosting your own website, traffic bursts might become a problem for your own internet. Do you really want to open your own IP for DDoS attacks?
6) Probably external nameservers (e.g. cloudflare) would be a good idea (see 5).
7) By hosting your own server, you have a lot more legal liabilities.
There's a lot more to this than you would think on first sight. I outlined just a few problems and issues above, but there's probably many more. Truth is that it's probably not a good idea to host your own website if you're just a small business, or hobbyist (unless you want to learn something).
> You need an ISP which allows this (opening ports 80 and 443)
Anywhere on the internet that allows you to run a box allows you pretty much any port you like. DO, Linode, Light Sail
> It is probably not a good idea to have people manage webservers without in-depth security and server knowledge.
Yes. But in my experiences most pwning happens due to application sec rather than server sec. i.e wordpress/drupal instances that aren't updated regularly and vulnerable plugins installed on the same. But I see your point, and I think it applies to any DIY effort.
Yeah, when you sign up to any host out there they give email, seo, and logging. But I feel most clients would only really need database + app + email services. And for email Gmail and Proton are really the only quality choices. So you could get away with only offering database + app hosting.
> You still have to arrange DNS-hosting.
no, I think most domain registras will do this for you and offer a decent interface around this. I use namecheap and they are just stellar!
> When hosting your own website, traffic bursts might become a problem
This is the same for most webhosts anyway. In fact the problem is worse for webhosts. The cheapest box on Digital Ocean can easily outperform you run of the mill webhosting package. The resources available to each app on shared hosting is laughable for anything but you mom and pops local bakery or blog.
> Do you really want to open your own IP for DDoS attacks?
I don't think this is a problem you can get away from either way. You eventually have to use a service like cloudflare as you mentioned for this; webhosted or DIY.
> By hosting your own server, you have a lot more legal liabilities.
I agree with you on this one.
> Anywhere on the internet that allows you to run a box allows you pretty much any port you like. DO, Linode, Light Sail
So instead of paying someone to run Apache for you, you pay someone to run the box you run your Apache on? Why is that better if you just need Apache running somewhere? I run my own stuff on a VPS too, but for people just wanting hosting I'd generally recommend plain hosting from a trustworthy provider.
I'm pretty font of dokku. Runs great on DigitalOcean. I would DIY it on a base linux image so you have an easier upgrade path. The extension for Let's Encrypt is pretty great too. I tend to just have a Dockerfile in the root of my project, and `git push deploy` up to it when tests pass. It works well for single-server small/mid sized applications. You still have full docker for other bits, but the integration is nice.
NOTE: if you use the $5 droplet level, you must add a swap file or you will have issues. You probably should do this anyway.
went to Google domains a while back and never turning back. Waiting for my domains with them to expire before turning them all over. GoDaddy runs its business like they only want to do business once with you
I've used godaddy, namecheap, and 101domain. Godaddy was about ten million times better than 101domain in terms of customer service. I'm kind of surprised they would do something this malicious.
If someone is injecting JavaScript codes into your website and you do not want, put your own JavaScript codes which cause it to display a message asking the user to disable JavaScript if they want to access your webpage!
The best "How to stop it" would be to change registrars. Domain registrar is a highly commoditized, extremely low margin, volume play business. There is always another company better than the other.
Personally, I have a ResellerClub account that I 'sell' to myself and my families. I also use name.com and namecheap.com for both my personal and my companies domains. They all are good.
There is Google too, and CloudFlare entered the market.
Question: Even if one registers with GoDaddy, what if the DNS is at CloudFlare, it won't have this problem, right?
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpbh'},{'server':'a2plvcpnl83247'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></sc...
That's pretty gross.