W3C home > Mailing lists > Public > public-web-perf@w3.org > November 2010

Re: [minutes] 20101110 Web Performance Working Group

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Thu, 11 Nov 2010 10:23:43 +0100
To: public-web-perf@w3.org
Message-ID: <op.vlz1pt0k41y844@id-c0735.oslo.opera.com>
On Thu, 11 Nov 2010 02:35:53 +0100, James Simonsen <simonjam@chromium.org>  

> On Wed, Nov 10, 2010 at 10:17 AM, Anderson Quach  
> <aquach@microsoft.com>wrote:
>> AndersonQuach: We agree to Private Domain, great.
> Sorry for the late follow up, but I think we should revisit this.
> Regarding option #3 (private domains), I think we need to factor in the  
> rise
> of cloud computing services, like amazonaws.com and appspot.com. These  
> sites
> rely on using different subdomains for security

I don't think hosting on subdomains is anything new.

Note that using different subdomains does not provide proper security,  
mainly because cookies can be shared. Partly also because domain  
highlighting might not highlight the subdomain, and allows for easy  
spoofing. E.g. browser IDN rules are also typically different for private  
domains and subdomains, which transfers responsibility for avoiding  
lookalikes among the domain names to the host, and such domains might also  
be sorted in the browser as belonging together. The conclusion is that  
while using subdomains might be practical and partly sandbox the contents,  
it is not a solution to properly secure the contents. Trying to do so  
already leads to a host of subtle issues.

For these two domains in particular, skimming through them, subdomains on  
both of them seem to host public content, and offer no logins. In which  
case there isn't any private information to be leaked. In order for there  
to be private information, there need to be some kind of  
identification/login, in which case there most likely will be cookies. If  
there are cookies involved, the subdomains most likely have security  
issues, dwarfing any privacy issues. I also find no high profile sites on  
the two domains, and don't expect that to change in the future.

Serious webmasters would likely get their own domain, and for the use  
cases I might have missed it is possible for the owner of a private domain  
to add it to the pubsuffix list as a public domain.

> The unload information is entirely based on the content of the previous
> page. Therefore, it should only be available to the previous page's  
> owner.
> Likewise, if the previous subdomain issues a bunch of redirects before
> sending the user to a new subdomain, those redirects are only relevant to
> the previous subdomain's owner.

We can never be certain if the owner of two different resources is the  
same, even in the same folder on the same domain. What I am claiming is  
that even in the worst case, sharing across the private domain isn't all  
that bad, and that if the owners of two subdomains are different, they  
(and users) likely don't care about any potential leakage, in the same way  
we don't care about any leakage between resources with different owners on  
the same subdomain.

You are welcome to convince me otherwise, but that would likely best be  
done with real world data, showing subdomain cases where there is a real  
expectation of security, combined with private data, and where the  
performance object would make things less secure. To me, the two examples  
above don't qualify for any one of the three points. Bonus points if it is  
a high profile site.

Sigbjørn Vik
Quality Assurance
Opera Software
Received on Thursday, 11 November 2010 09:24:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:29 UTC