gov.ht request

[ghost]

No description provided.

[simon-friedberger]

Are you a member of nic.ht? If so, please update https://nic.ht/en/nom-de-domaine/charte-de-nommage#ch21 to include gov.ht so we can validate.

[wdhdev]

Are you from the registry of .ht or just .gov.ht?

[groundcat]

The last time I checked, gov[.]ht was actually held by a private individual rather than being an official Haitian government domain. While I'm not certain about the current status, looking at the whois data raises red flags - the domain was registered in through TimeNIC Inc. in Beijing China, which seems unusual for what claims to be an official Haiti government domain.

I'd recommend closing this PR until we can get confirmation from the official .ht registry (NIC Haiti) that this is indeed a legitimate government request.

Domain Name: gov.ht
Registry Domain ID: 1916100-CoCCA
Updated Date: 2025-02-21T22:36:00Z
Creation Date: 2022-04-21T00:00:52Z
Registry Expiry Date: 2026-04-21T00:00:53Z
Registrar Registration Expiration Date: 2026-04-21T00:00:53Z
Registrar: TimeNIC, Inc
Registrar City: Beijing
Registrar State: Beijing
Registrar Postal Code: 100000
Registrar Email: support@timenic.com
Registrar Abuse Contact Email: abuse@timenic.com

[groundcat]

Additionally, VirusTotal has two security vendors flagging gov[.]ht as a phishing domain.

---

Looking at the list of subdomains under gov[.]ht (https://www.virustotal.com/gui/domain/gov.ht/relations)...

we can identify several clear examples where the threat actor is trying to impersonate legitimate government entities:

Haitian Government (legitimate-looking for .ht domain):

• mefhaiti.gov[.]ht - Ministry of Economy and Finance, Haiti
• oni.gov[.]ht - could reference a Haitian government office

Federal US Government Agencies:

• justice.gov[.]ht - Department of Justice
• cdc.gov[.]ht - Centers for Disease Control
• nih.gov[.]ht - National Institutes of Health
• irs.gov[.]ht - Internal Revenue Service
• ftc.gov[.]ht - Federal Trade Commission
• state.gov[.]ht - State Department
• customs.gov[.]ht - US Customs

State/Local Government:

• ca.gov[.]ht - California state government
• pa.gov[.]ht - Pennsylvania state government
• wa.gov[.]ht - Washington state government
• dc.gov[.]ht - Washington DC government
• ohiosecretaryofstate.gov[.]ht - Ohio Secretary of State
• quezoncity.gov[.]ht - Quezon City, Philippines

International Government Entities:

• douane.gov[.]ht - French customs ("douane" = customs in French)
• conatel.gov[.]ht - Telecommunications regulatory agency (used in several countries)
• deped.gov[.]ht - Department of Education (Philippines)
• deyang.gov[.]ht - Deyang city government (China)

The pattern shows the phishing actor is casting a wide net, impersonating government agencies from multiple countries to increase their chances of deceiving victims who might trust these familiar government domain patterns.

---

This resonates with @dnsguru's comment in #2554 about the need for extra validation and security review for this type of requests.

[wdhdev]

It is also worth noting .gouv.ht is already on the list, which I presume is the actual government domain name for .ht.

[hiifeng]

It is also worth noting .gouv.ht is already on the list, which I presume is the actual government domain name for .ht.

I conducted further research on the WHOIS information of .gouv.ht and found that the domain has not enabled privacy protection. Based on the publicly available information, such as the registration email, I support your conclusion.

root@ifeng:~# whois gouv.ht
Domain Name: gouv.ht
Registry Domain ID: 113085-CoCCA
Updated Date: 2023-03-08T18:07:58Z
Creation Date: 2008-04-03T04:05:11Z
Registry Expiry Date: 2050-12-31T00:00:00Z
Registrar Registration Expiration Date: 2050-12-31T00:00:00Z
Registrar: Consortium FDS/RDDH
Registrar Street Address: 17, 2eme Ruelle Wilson Pacot
Port-au-Prince
Registrar Email: contact@frddh.org.ht
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: inactive https://icann.org/epp#inactive
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: serverRenewProhibited https://icann.org/epp#serverRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Registry Registrant ID: 1503691-CoCCA
Registrant Name: Consortium FDS/RDDH
Registrant Street: 17, 2eme Ruelle Wilson, Pacot
Registrant City: Port-au-Prince
Registrant State/Province:
Registrant Postal Code:
Registrant Country: HT
Registrant Email: contact@frddh.org.ht
Registrant Phone: +0.22270220
Registry Admin ID: 1504207-CoCCA
Admin Name: Consortium FDS/RDDH
Admin Street: 17, 2eme Ruelle Wilson, Pacot
Admin City: Port-au-Prince
Admin State/Province:
Admin Postal Code:
Admin Country: HT
Admin Email: contact@frddh.org.ht
Admin Phone: +0.22270220
Registry Billing ID: 1504207-CoCCA
Billing Name: Consortium FDS/RDDH
Billing Street: 17, 2eme Ruelle Wilson, Pacot
Billing City: Port-au-Prince
Billing State/Province:
Billing Postal Code:
Billing Country: HT
Billing Email: contact@frddh.org.ht
Billing Phone: +0.22270220
DNSSEC: unsigned
>>> Last update of WHOIS database: 2025-09-19T07:23:19.023Z <<<

For more information on domain status codes, please visit https://icann.org/epp

TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated.  Whois database is provided by Consortium FDS/RDDH as a service to the internet community on by of Consortium FDS/RDDH. (http://www.nic.ht)

The data is for information purposes only. Consortium FDS/RDDH does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to Consortium FDS/RDDH it's members (or Consortium FDS/RDDH or member computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited.

[hiifeng]

@gov-ht-noc I’m glad to receive your clarification. Please rest assured that no one is trying to create obstacles regarding the inclusion of gov.ht in the PSL.

I suggest that you strictly follow the PR template when creating your pull request:
https://github.com/publicsuffix/list/blob/main/.github/pull_request_template.md

Next, you can contact the security vendors to address the false positives reported on VirusTotal, which is usually a straightforward process.

Finally, you can wait for the PSL team members to contact the registry to verify that gov.ht is not a private domain before merging.

I am confident that gov.ht will ultimately be included.

[wdhdev]

@gov-ht-noc Can you please add .gov.ht to this page: https://nic.ht/en/nom-de-domaine/charte-de-nommage#ch21
This would help us reassure that this request is actually from the .ht registry.

I have also emailed the admin and tech contacts on the IANA page to confirm this request.

[groundcat]

Reply from Max Larson Henry <maxlarson.henry@transversal.ht>

We confirm it is a fraudulent request.

The only extension related to government institutions in Haiti is gouv.ht.

Thank you

Email CC'd @dnsguru

[dnsguru]

submitter's account deleted - appropriate amount of review on this PR, team

[dnsguru]

also noting the ghosted account appears to have cleaned out all their comments from the thread

[groundcat]

For documentation purposes, the deleted comments are listed below. None of the information in these comments turned out to be genuine. (I received emails when the requester left comments.)

Dear Public Suffix List Maintainers,

We write to you on behalf of the Government of the Republic of Haiti. Our official online presence has historically been consolidated under the second‑level domain gouv.ht, which has served us well for many years. However, as part of our ongoing effort to strengthen the resilience, security, and continuity of public services, we are preparing a parallel namespace, gov.ht, to act as a reliable backup domain for critical governmental websites.

The inclusion of gov.ht in the Public Suffix List would bring immediate and tangible benefits to both Haitian citizens and the broader internet community. By treating gov.ht as a public suffix, browsers and other user agents will enforce strict isolation of cookies, local storage, and other site‑specific data among the numerous ministries, agencies, and public institutions that will operate under this namespace (for example, health.gov.ht, education.gov.ht, finance.gov.ht). This isolation is essential to prevent inadvertent cross‑site tracking, mitigate the risk of credential leakage, and protect users from potential cross‑origin attacks that could arise if a single cookie were allowed to be shared across all government sub‑domains.

Moreover, aligning gov.ht with the same security posture already granted to gouv.ht demonstrates Haiti’s commitment to international best practices. Many sovereign nations already have their governmental second‑level domains listed in the PSL (such as gov.uk, gov.au, and gov.ca). Adding gov.ht would place Haiti alongside these jurisdictions, reinforcing confidence in the integrity of our public digital services and ensuring that visitors to Haitian government sites enjoy the same level of privacy protection expected elsewhere on the web.

From an operational standpoint, the request poses no technical complications for the PSL. The entry would be a simple static suffix—gov.ht—requiring no ongoing maintenance beyond the usual periodic reviews performed by the PSL community. Its adoption would therefore be straightforward for implementers while delivering a substantial security uplift for all Haitian governmental web properties.

In summary, we respectfully ask that you consider adding gov.ht to the Public Suffix List. This step will safeguard citizen data, enhance the robustness of our governmental online infrastructure, and align Haiti’s digital presence with globally recognized security standards. We appreciate your attention to this matter and stand ready to provide any additional information you may require.

Hiifeng:

Thank you for flagging the WHOIS details and the VirusTotal alerts. We want to assure you that the request to add gov.ht to the Public Suffix List comes from the Haitian Ministry of Digital Transformation, which has been coordinating with the NIC Haiti registry since early 2024 to secure a dedicated second‑level domain for government services. Although the current registrar record shows TimeNIC Inc. in Beijing, this arrangement was made through an official contract signed by the Haitian government’s ICT department to leverage TimeNIC’s global DNS‑hosting platform for redundancy and DDoS mitigation—an approach that many sovereign registries use when local infrastructure cannot guarantee the required uptime. We have a signed letter from the Minister of Communications confirming that gov.ht is an authorized, government‑owned namespace intended as a resilient fallback to the existing gouv.ht domain, and we can provide that documentation to the registry for verification.

Regarding the security concerns raised by VirusTotal, the flagged subdomains you listed are not operated by the Haitian government; they are clearly the work of malicious actors attempting to spoof legitimate agencies. Our internal audit of the gov.ht zone shows that only a handful of verified ministries (e.g., health.gov.ht, finance.gov.ht, education.gov.ht) have been delegated, each protected by DNSSEC and monitored through NIC Haiti’s change‑notification service. The presence of unrelated, phishing‑related subdomains is a symptom of the domain’s current lack of public‑suffix protection—once gov.ht is recognized as a public suffix, browsers will isolate cookies and storage per subdomain, dramatically reducing the attack surface that phishers can exploit. In short, adding gov.ht to the PSL is a defensive measure that helps prevent exactly the kind of impersonation you’ve identified.

We appreciate your diligence and are happy to share the official authorization letters and DNSSEC configuration details so the PSL maintainers can verify the legitimacy of this request. Please let us know if any additional evidence would help move the PR forward.

[groundcat]

Also, it appears that the registry has taken action, suspending this domain and placing it on serverHold

Domain Name: gov.ht
Registry Domain ID: 1916100-CoCCA
Updated Date: 2025-09-23T02:04:36Z
Creation Date: 2022-04-21T00:00:52Z
Registry Expiry Date: 2026-04-21T00:00:53Z
Registrar Registration Expiration Date: 2026-04-21T00:00:53Z
Registrar: TimeNIC, Inc
Registrar City: Beijing
Registrar State: Beijing
Registrar Postal Code: 100000
Registrar Email: support@timenic.com
Registrar Abuse Contact Email: abuse@timenic.com
Registrar Abuse Contact Phone: 
Domain Status: serverHold https://icann.org/epp#serverHold
Domain Status: serverRenewProhibited https://icann.org/epp#serverRenewProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited

[wdhdev]

Amazing response from the actual registry!

[mozfreddyb]

This is wild. We have seen some legitimate requests from what appears to be just a new account and it's hard to distinguish based on user profiles.

Thank you all for being so diligent here. I think we all dodged a bullet because of you 🫶

[dnsguru]

You see now why I was pointing this out and applying just a little more friction and out of band verification for these gummint ones.

What Gerv and I were always concerned about was where we might unintentionally create a security hole by casually merging one of these.... and then there's no ability rollback or send OFUQ notices to recommend updates once we would catch something and then remove an unauthorized entry.

[mozfreddyb]

Yeah, I get there's bad actors, but I don't want u stop there.
I really want to find out what they wanted to achieve and look how we can respond to that regardless of the diligence we apply here.

I can't believe it's just phishing? I bet you could get just as far with yourcountrygovernment-legitimate.biz... :)

[groundcat]

@mozfreddyb - fascinating point about the potential motivations here. This is indeed a rather bizarre case, and honestly, I can't think of any reasonable motivation behind this either. What they could have gained by adding the domain to the PSL, and how that could have helped with phishing operations??

What I do know is that there exists at least one security vendor that uses the PSL to whitelist domain names in some way. When you search for any private section domain name that exists on the PSL, such as it.com (CentralNIC sells 3rd level domains under it.com but it is not the .com registry so that's why it is in the private section), VirusTotal returns the security scan results just like how normal domains work.

https://www.virustotal.com/gui/search/it.com

However, when you try any domain name on the list in the ICANN section, such as domains like gov.ac or even kitaakita.akita.jp, VirusTotal consistently shows nothing, just saying that they currently don't have any results.

https://www.virustotal.com/gui/search/gov.ac
https://www.virustotal.com/gui/search/com.au
https://www.virustotal.com/gui/search/plurinacional.bo
https://www.virustotal.com/gui/search/pesarourbino.it
https://www.virustotal.com/gui/search/kitaakita.akita.jp

This appears to be true for all PSL domains in the ICANN section - it looks like VirusTotal is allowlisting all the PSL domains from the ICANN section.

That said, it's not wise to assume that all security vendors have the same practice. For example, using Norton's URL scanner, it doesn't care if a domain name is in the PSL or not - it will scan anything you throw at it.

So if evading security scanning was the motivation, I don't think adding the domain to the PSL would have provided any material help for them. 🤷‍♂️

[dnsguru]

@mozfreddyb re: gummint subdomains - these, along with mil / police and in some cases edu/healthcare are things we need to not consider automatable, and they require a little extra verification.

This will sound strange, but there are two (at least) dimensions to how things are treated by PSL presence, and I split them at the breakpoint of the ICANN/PRIVATE sections. Stuff above the PRIVATE demarkation is treated as 'far more trusty because it comes from an official place'. While the presence or absense of an entry in the PSL is binary in its impact, there is a bit more under the hood with this.