- From: Mike West <mkwst@google.com>
- Date: Mon, 27 Oct 2014 08:40:55 +0100
- To: Yoav Nir <ynir.ietf@gmail.com>
- Cc: Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Received on Monday, 27 October 2014 07:41:43 UTC
On Sun, Oct 26, 2014 at 2:06 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > For example, my company has a public web site checkpoint.com, that is > pretty much a “storefront” type website. It’s probably running on Apache or > nginx and written by website designers. We have a > supportcenter.checkpoint.com that has support articles, price lists and > the like, and written by different website designers. Then we have > exchange.checkpoint.com that is a Microsoft server, A SAP portal written > by SAP, and even sslvpn.checkpoint.com (now disabled) that runs (not > surprisingly) an SSL-VPN solution written by us. > > So no, you can’t assume that subdomains are written by the same people. > Note also that in the presence of an active network attacker with control of DNS (e.g. your local coffee shop), _every_ origin has attacker controlled subdomains served over HTTP. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 27 October 2014 07:41:43 UTC