The Lifecycle of a Website: A Progression Through zvelo’s View of the Web
The lifecycle of a website is really pretty simple from a high level. It starts out as a domain name registration, then becomes active for a time, and eventually goes away if or when it is no longer used. As we begin to share more information about how zvelo views the web in terms of the ActiveWeb, the ProActiveWeb, and the InActiveWeb, it’s important to cover what happens during the lifecycle of a website as somewhat of a primer for zvelo’s approach to monitoring the web for malicious detection and predictive threat intelligence.
At the earliest stage in the lifecycle of a website, a user decides on a domain name for the potential site. In addition to selecting a name, the user chooses a Top Level Domain (TLD) or Domain Extension. TLDs are generally categorized into two main groups:
gTLDs. gTLDs are generic TLDs and the most common are the .com, .net, .org, etc. While it used to be that there were only a handful of extensions available, there are now numerous customized TLDs to choose from to have it be specific to a particular brand, industry, or type of service offering.
ccTLDs. ccTLDs are country code TLDs and the extensions are limited to specific countries. Countries and territories have a top-level domain name available that’s based on the country’s two-letter ISO code — for example .us.
The next step in the lifecycle of a website is for a user, or registrant to procure a domain name. Domain names for the entire web are managed by the Internet Corporation for Assigned Names and Numbers (ICANN), and can be procured in two ways:
Registrar. Domain Name Registrar is an accredited service that has a direct connection with the central registry of a TLD, which allows users to register and purchase domain names. A domain registrar has to be accredited by the central registries of the domains it offers, it does not necessarily have to be accredited by ICANN.
Reseller. A Domain Reseller is a company or person that buys domains from a domain registrar or another domain reseller on behalf of their customers. Resellers do not have a direct connection with the central registry of a TLD, and are not accredited. Many registrar services also offer reseller programs which allow users to sell the registrar’s services under the user’s own brand.
After a domain name is registered, it’s linked to a hosting service where the website will eventually live. If the website has not been created and has no content, that domain is considered parked. A parked domain is registered but not yet linked to a hosting service and is not actively being used. A parked domain can occur twice during the lifecycle of a website — at the very beginning, and again at the end.
There are a number of different reasons for websites to be parked including:
Name Reservation. One of the most common reasons for a parked domain is simply to reserve the name until you have enough content to build out a website.
Protection from Cybersquatting. Many companies and brands will choose to register domain names relevant to their trademark, brand, product, or service to prevent others from purchasing that same domain only to offer to sell it back for a ridiculously inflated price.
Marketing. Similar to the tactic of protecting against cybersquatting, it’s a common marketing tactic to register domains similar to a company’s brand or products for brand safety management. While the active domain may use a .com extension, companies will often register the same domain name with multiple extensions — .net, .org, — to prevent another product or service from becoming associated with their brand’s name.
Monetization. Some users will register domain names for the sole purpose of generating income by domain flipping or by enabling display advertisements to appear on the page when someone happens upon the parked domain.
Expiration. At the end of the lifecycle of a website, after the content is taken down and the site goes into an unreachable status, a domain is parked until the domain registration either expires or is sold to another buyer.
While we don’t want to veer from the main blog topic, it’s important to highlight that parked domains are a crucial area to monitor for threat intelligence. For zvelo specifically, we observe domains as they move from the InActiveWeb into the ProActiveWeb, the ActiveWeb and eventually back to the InActiveWeb. This doesn’t mean that parked domains are inherently suspicious. There is, however, opportunity for Malicious Cyber Attackers (MCAs) to take advantage of parked domains in the InActiveWeb and ProActiveWeb. We’ll take a deeper look into parked domains and the vulnerabilities which can attract MCAs in a future post.
When a website has substantial enough content to provide value to its intended audience, it then becomes actively linked to a hosting service and the domain goes live on the internet and becomes part of the SurfaceWeb. Once a website is live, anyone can type the domain name into a web browser and access whatever content is hosted. When someone within zvelo’s network of 600+ million end users around the world visits a domain, it becomes part of the zvelo ActiveWeb.
A website will continue to be active and host content for as long as it’s relevant and then eventually, it is taken down either because it’s no longer being used, the domain name registration expired, it was taken down by law enforcement, or for whatever reason, it has gone into an unreachable status. Once this happens, the domain is again considered parked and moves from the ActiveWeb back to either the ProActiveWeb or InActiveWeb. The lifecycle of a website ends when the domain registration expires and then becomes available for purchase by another user — starting the process over again.