Table of Contents

Rant

One thing that frustrates me endlessly is major companies’ obsession with using countless domain names for public-facing websites and services. What do I mean by this? Companies should be using one root domain for public services and stick with it.

For example, I think Google does a great job at this (for the most part). If I want to view my Google email, I go to mail.google.com. If I want to look at my Google photos, I go to photos.google.com. If I want shop Google hardware, I go to store.google.com. This builds trust that if you’re visiting a Google service, the root domain should be google.com, and helps to easily point out phishing attempts. A URL like mygooglemail.com immediately stands out as being phishy (pun intended) as it doesn’t contain google.com.

On the other hand, let me login to my university Office 365 account portal, and tally up the root domain names of the services listed:

 1sharepoint.com
 2dynamics.com
 3office.com
 4kaiza.la
 5windowsazure.com
 6powerapps.com
 7microsoft.com
 8microsoftstream.com
 9aka.ms
10yammer.com

Some of these even look like phishing domains. microsoftstream.com? Just for fun, I looked at similar domains for sale to see how easy it would be to just buy a similar looking domain.

A list of Microsoft video-related domains for sale
Just a quick search on Google Domains.

While microsoftvideo.com is taken (and fun fact, does not take you to a Microsoft site) many similar domains like microsoftvid.com are for sale and could easily be abused by phishers. Who could blame users? It looks just as official as a real Microsoft site.

My point is, this seems ridiculous. How are normal users supposed to remember that all these different domains are controlled by Microsoft and are actually safe? Now, I understand the need for cookie-less CDN domains. But all the domains I just listed for Microsoft are right on the Office 365 portal as the “official” link to get to various services.

Microsoft has so many domains, they even have documentation on the lists of them for Office 365 and Windows so that administrators know what to whitelist in their firewalls. A brief selection of root domains:

 1aadrm.com
 2aka.ms
 3akamaihd.net
 4akamaized.net
 5aspnetcdn.com
 6azure-apim.net
 7azure.com
 8azure.net
 9azurerms.com
10bing.com
11cloudappsecurity.com
12digicert.com
13edgesuite.net
14entrust.net
15geotrust.com
16gfx.ms
17globalsign.com
18globalsign.net
19identrust.com
20letsencrypt.org
21live.com
22live.net
23lync.com
24microsoft.com
25microsoftazuread-sso.com
26microsoftonline-p.com
27microsoftonline-p.net
28microsoftonline.com
29msauth.net
30msauthimages.net
31msecnd.net
32msedge.net
33msft.net
34msftauth.net
35msftauthimages.net
36msftconnecttest.com
37msftidentity.com
38msidentity.com
39msn.com
40msocdn.com
41mstea.ms
42o365weve.com
43office.com
44office.net
45office365.com
46omniroot.com
47onenote.com
48onenote.net
49onestore.ms
50onmicrosoft.com
51optimizely.com
52outlook.com
53phonefactor.net
54powerapps.com
55public-trust.com
56sfbassets.com
57sharepoint.com
58sharepointonline.com
59skype.com
60skypeassets.com
61skypeforbusiness.com
62svc.ms
63symcb.com
64symcd.com
65trafficmanager.net
66verisign.com
67verisign.net
68virtualearth.net
69windows.com
70windows.net
71windowsazure.com
72windowsupdate.com
73xbox.com
74xboxlive.com
75xboxservices.com

Clearly, not all of these are owned/controlled by Microsoft, such as the certificate domains like letsencrypt.org or vendors like optimizely.com, but the vast majority are definitely owned by Microsoft. And good lord, is that a lot of different domain names.

While Google is certainly better (especially for their consumer services), they still have their fair share of confusing domains. Off the top of my head:

google.com
withgoogle.com
goo.gl
goo.gle
g.co
docs.new
sheets.new
slides.new
tv.google
domains.google
googleblog.com
blog.google
blogspot.com
blogger.com
android.com
chromecast.com
web.dev
googlemail.com
googleapis.com
googlesource.com
doubleclick.net
google-analytics.com (only domain with a dash?)
googleadservices.com
googletagmanager.com
googleusercontent.com
googlevideo.com
gstatic.com
gvt1.com
ggpht.com
chromium.org
crbug.com
crrev.com

(I’m ignoring their public cloud domains like appspot.com and firebase.com).

In conclusion, please use just one root domain for public services. It decreases phishing potential, promotes brand consistency, and makes it easier for regular users to identify official sites.