On 11-Jun-19 04:21, Eric Rescorla wrote:
>
>
> On Mon, Jun 10, 2019 at 7:49 AM Michael Richardson <[email protected]
> <mailto:mcr%[email protected]>> wrote:
>
>
> {I've clipped the CC list}
>
> Eric Rescorla <[email protected] <mailto:[email protected]>> wrote:
> >> On 09-Jun-19 01:37, Eliot Lear wrote:
> >> >
> >> >
> >> >> On 7 Jun 2019, at 23:17, Toerless Eckert <[email protected]
> <mailto:[email protected]>> wrote:
> >> >>
> >> >> Ok, now i got you (i hope ;-).
> >> >>
> >> >> I really liked the c1sco example (not sure if we should mention
> a real
> >> >> company name in such an rfc someone not reading the draft might
> take
> >> >> offense, maybe examp1e.com <http://examp1e.com> insted though).
> >> >
> >> > This is a bit tricky with the glyph attack, but certainly the
> base
> >> should be
> >> > example.com <http://example.com>.
> >>
> >> Can you use null.example.com <http://null.example.com> and
> nu11.example.com <http://nu11.example.com>?
> >>
>
> > That's a little unfortunate from the perspective of this attack
> because
> > ..com is a public suffix [0] whereas example.com
> <http://example.com> is not.
>
> > -Ekr
>
> > [0] https://publicsuffix.org/
>
> okay, I'm trying to understand the relevance of this from the point of an
> example in an RFC.
>
> We need to put the example under example.*, but we can't use examp1e.com
> <http://examp1e.com>,
> because it's not an example domain.
>
> Brian suggested the example null vs nu11.
> This is not about super-cookies, etc. and it doesn't suggest any kind of
> process involving the list of publicsuffixes.
>
>
> The general shape of this kind of attack is that the attacker wants to
> impersonate A and so gets a domain with name A' that looks like A. However,
> this depends on A' being something the attacker can register. The public
> suffix list embodies the concept (more or less) of "anyone can register
> here". By contrast, a.example.com <http://a.example.com> is (I assume) owned
> by example.com <http://example.com> and so your average attacker can't do
> anything with b.example.com <http://b.example.com>.
However, examp1e.com is 2001:470:1f07:1126::555:1212 or 64.57.183.2 so we
*really* can't use it. examp1e.net is 133.242.206.244 and actually responds to
HTTP.
You're right that in theory subdomains are unrealistic examples, but does that
matter for an illustrative example?
Brian
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
