Faster Forward: Libya shutdown raises questions about bit.ly, security of foreign domains
A secondary story has come out of the events in Libya, affecting users in a way few people have ever thought about. The top-level domain .ly, used by the popular URL-shortening site bit.ly and others, is the TLD of Libya. As Libya has intermittently shut down its Internet access in a curfew-like fashion, it raised questions about the security of Web sites that use foreign TLDs for their sites.
On the question and answer site Quora, bit.ly CEO John Borthwick asserted that his company was safe from the shutdown. "For .ly domains to be unresolvable, the five .ly root servers that are authoritative *all* have to be offline, or responding with empty responses," he said. "Of the five root nameservers for the .ly TLD: two are based in Oregon, one is in the Netherlands and two are in Libya."
Borthwick added that bit.ly has several workarounds for the .ly ending, including rewriting domains to j.mp or at bitly.com.
But Borthwick's comments were questioned by infrastructure expert Kim Davies, who countered that Borthwick had not been completely forthcoming with his comments.
"It gives a sense of false confidence to state that country-code domains are impervious to these kinds of government-mandated Internet shutdowns," said Davies. "If a country like Libya decides to shut down the Internet affecting the registry operations of .LY, while it is unlikely to have an immediate effect unless they explicitly empty the registry data, it can have a devastating effect in short order."
ICANN reported that there were, in fact, some problems with Web sites carrying .ly domains, though bit.ly users did not report similar problems.
Yes, bit.ly is safe, because it has plenty of backups, but an Internet shutdown is not the only consideration for sites looking to foreign TLDs.
As Melissa Bell and Rob Pegoraro reported in October, the site VB.ly was taken down for posting "sex-positive" content that ran contrary to Libyan Islamic law. To summarize Rob's advice from October: If you think your content may run afoul of the social code of a certain country, don't pick their domain.