- From: timeless <timeless@gmail.com>
- Date: Mon, 10 May 2010 04:30:00 +0300
On Mon, May 10, 2010 at 2:31 AM, Perry Smith <pedzsan at gmail.com> wrote: > If we have a site like official_site.area_subdomain.big.com which relaxes the > restriction to area_subdomain.big.com, it is now exposed to the potential of > an attack from any of the systems within the same area_subdomain including > laptops connected via wifi. ?The wifi is secure. ?The place I work at trusts me > to some degree but with a large corporation, they very often try to restrict > information on the "need to know" basis. ?And, corporate espionage is a real threat. Sites shouldn't be configured this way. They should have two domains, one used for corporate servers: *.big.com one used for untrustworthy systems: <guest>.evil There's no reason to stick computers into area_subdomain.big.com (if you manage to get dns search right). I've seen networks which are properly configured with a secondary domain. But roughly speaking, if you're allowed to put a computer into <host>.area_subdomain.big.com, your neighbors have already lost. Where I work, we have hundreds of servers which pop up random dialogs asking for my windows domain credentials. Some use HTTP Auth requests, some use html forms to ask for it. There's no way for a user to determine if a server is real or not, and most have expired or otherwise invalid certificates, everyone has to trust all of them. Thus we trust the network not to allow computers which don't belong into the interesting subnets (and in theory there's something patrolling those networks to guard against this problem).
Received on Sunday, 9 May 2010 18:30:00 UTC