On Mon, Jun 10, 2019 at 7:49 AM Michael Richardson <[email protected]>
wrote:
>
> {I've clipped the CC list}
>
> Eric Rescorla <[email protected]> wrote:
> >> On 09-Jun-19 01:37, Eliot Lear wrote:
> >> >
> >> >
> >> >> On 7 Jun 2019, at 23:17, Toerless Eckert <[email protected]> wrote:
> >> >>
> >> >> Ok, now i got you (i hope ;-).
> >> >>
> >> >> I really liked the c1sco example (not sure if we should mention
> a real
> >> >> company name in such an rfc someone not reading the draft might
> take
> >> >> offense, maybe examp1e.com insted though).
> >> >
> >> > This is a bit tricky with the glyph attack, but certainly the base
> >> should be
> >> > example.com.
> >>
> >> Can you use null.example.com and nu11.example.com?
> >>
>
> > That's a little unfortunate from the perspective of this attack
> because
> > ..com is a public suffix [0] whereas example.com is not.
>
> > -Ekr
>
> > [0] https://publicsuffix.org/
>
> okay, I'm trying to understand the relevance of this from the point of an
> example in an RFC.
>
> We need to put the example under example.*, but we can't use examp1e.com,
> because it's not an example domain.
>
> Brian suggested the example null vs nu11.
> This is not about super-cookies, etc. and it doesn't suggest any kind of
> process involving the list of publicsuffixes.
>
The general shape of this kind of attack is that the attacker wants to
impersonate A and so gets a domain with name A' that looks like A. However,
this depends on A' being something the attacker can register. The public
suffix list embodies the concept (more or less) of "anyone can register
here". By contrast, a.example.com is (I assume) owned by example.com and so
your average attacker can't do anything with b.example.com.
-Ekr
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
