jooby-1.x are broken

[nedtwigg]

If you google "Jooby SSL", the top hit is

• Feature request : support SSL #186

Which links to

• http://jooby.org/doc/#https

Which doesn't have any info on https. I tried browsing the docs more broadly, the 1.x search always says "no results found", no matter what you search for. On the modules page, it is not possible to click any of the links, not sure why:

• https://www.jooby.org/modules/

Looks like there is great progress on Jooby 2.x, which is great, but it's really valuable to leave the 1.x docs in a working state, so that old links and documentation will work. Especially since so much "link juice" is flowing to them, many search results for "Jooby blah" are going have 1.x hits, and for now those are not a good experience.

[jknack]

Yea, I can't pay two domains.

Old doc is over v1 path: https://jooby.io/v1/doc/#https

[nedtwigg]

Do you still own the "jooby.org" domain? If you still own it, it'd be worth throwing up 301 redirects from jooby.org/* to jooby.io/v1/$. Cloudflare page rules can do that very quickly, for free.

If you don't own it anymore, that's a bit of a problem. The current owners are putting up your content. I'd be happy to try and help you get it back, if you want it back.

[altmind]

jooby.org really looks like a quickly-made placeholder for a squatted domain.
some linkfarm ads on the sidebar, sloppy footer, missing "here" links in faq.

[jknack]

I don't own the domain anymore... didn't know it was still active and showing some v1 content :(

[nedtwigg]

That's okay! Jooby is a great project, and we can fix this, but it is a serious problem. If I open an incognito tab, and search "jooby", the top hit is jooby.org. And it is hosting the jooby 1.x docs, they're just a little strange. It didn't occur to me that anyone besides you was hosting them, I was very confident that they were authentic, just accidentally broken. The wayback machine's last snapshots are May 2019, where it appears normal, and in August 2019 it was a redirect to jooby.io, and that's the end of the history.

Hit 2 and 3 are github, 4 is jooby.io. But every other result is a tutorial (some quite good!), and every single one points to various subsections of jooby.org, none of them point to jooby.io. So in terms of growing the jooby community, it's really important for people to be able to make long-lived tutorials. The great thing about Jooby is that it is so small and stable that I don't have to muck with the framework, compared to more bloated frameworks. That stability should translate to tutorials, but it requires stable documentation URLs. I'll happily pay for and maintain the domains, but I think it's critical that we get it back permanently - to repay the effort people put to make the tutorials, and also to signal to future adopters who link to jooby.io: "put work into this, it is stable, we will not pull the rug out from under you later".

The trouble is, I doubt the current owner of jooby.org is benevolent. To a newcomer (and me!), it looks like jooby.org is the real one, and jooby.io is the fake (all the tutorials from legit brands like baeldung point to jooby.org). That's a very dangerous situation. For example, here is an attack which I would have easily fallen for:

• JitPack will automatically verify domain ownership in minutes, and give the "org.jooby" maven group to them
• Change the website to say "best way to get jooby is from jitpack"
• And then when I get org.jooby:jooby:1.6.6 from jitpack, I will get whatever the attacker wants

It's a little slower, but eventually Sonatype will also let them publish to mavencentral under org.jooby groups. Given that somebody bothered to put up docs, but couldn't get them to look and work quite right, it seems that they are not super sophisticated. But the fact that they bothered to put up fake docs at all indicates that they do plan to do something with them. Here is the whois:

Domain Name: JOOBY.ORG
Registry Domain ID: D174222491-LROR
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.whois.godaddy.com
Updated Date: 2019-12-17T02:28:51Z
Creation Date: 2014-10-15T15:35:23Z
Registry Expiry Date: 2020-10-15T15:35:23Z
Registrar Registration Expiration Date:
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: Domains By Proxy, LLC
Registrant State/Province: Arizona
Registrant Country: US
Name Server: NS1.VEEROTECH.NET
Name Server: NS2.VEEROTECH.NET
Name Server: NS3.VEEROTECH.NET
Name Server: NS4.VEEROTECH.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2020-01-17T07:18:32Z <<<

If we can't get jooby.org back, then we need to disclose to the various tutorials that they need to update all their links to jooby.io. We should also probably disclose to JitPack, Sonatype, etc. that jooby.org is owned by an untrusted party, and they should blacklist anyone trying to create new maven groups under that name. But that is all a lot of work for a lot of people, and if we can just get the domain back then we don't have to do any of it.

In the short-term, we should definitely email abuse@godaddy.com and point them to this github issue - at the very least I think they will take it down. I'll email you @jknack about other ways I can help you. If you use Jooby and have a dedicated legal/security team, chime-in, we could use your help!

[marksack]

@nedtwigg @jknack Is there any update on the status of this issue? Have any of the disclosures been made? Any progress towards getting the domain back?

[jknack]

Tried everything... nothing works. They (go daddy) just don't care:

Hello there!
I just wanted to reach out because the seller has viewed the offer and has not responded after. I have sent a follow up email to see if there is any interest in selling or if they have an asking price in mind and still have not received a response.
Normally this is because they are not intending to sell the domain and are just choosing to ignore us. Most sellers will ignore offers if they feel you are too far apart in countering. At this point you would need to increase your budget to continue to pursue the domain.
I would recommend an increased offer of $4000.00 to try and get some movement from the seller. More than likely we can get a response this way to either accept or at least counter us back. Please keep in mind any offer will be due immediately if accepted. I normally use this strategy with the seller to try and get a quick deal in place if they know the funds are available.
Also as a reminder there is a 20% domain buy service fee attached to the sale price if we get a deal in place since we are brokering the domain through our auction.
Any questions or concerns let me know, thanks!

About the abuse, they never write me back. So filled a copyright complain:

Dear Sir or Madam,
The website is not hosted by GoDaddy. We ask that you please note the following information:
The registrar is the company that sells a domain name registration to a person or company.
The registrant is the person or company that purchases a domain name for use.
The hosting provider is the company that provides space on its computers for the files that make up the content of the website.
While GoDaddy offers services as both a registrar and a hosting provider, this does not mean that we provide both services for every domain that is registered through our company.

[nedtwigg]

Sonatype was notified, so the mavencentral artifacts will remain safe. There are a lot of tutorials based on 1.x, those will probably remain risky unfortunately.