On Mon, Jun 10, 2019 at 1:48 PM Brian E Carpenter < [email protected]> wrote:
> On 11-Jun-19 04:21, Eric Rescorla wrote: > > > > > > On Mon, Jun 10, 2019 at 7:49 AM Michael Richardson < > [email protected] <mailto:mcr%[email protected]>> wrote: > > > > > > {I've clipped the CC list} > > > > Eric Rescorla <[email protected] <mailto:[email protected]>> wrote: > > >> On 09-Jun-19 01:37, Eliot Lear wrote: > > >> > > > >> > > > >> >> On 7 Jun 2019, at 23:17, Toerless Eckert <[email protected] > <mailto:[email protected]>> wrote: > > >> >> > > >> >> Ok, now i got you (i hope ;-). > > >> >> > > >> >> I really liked the c1sco example (not sure if we should > mention a real > > >> >> company name in such an rfc someone not reading the draft > might take > > >> >> offense, maybe examp1e.com <http://examp1e.com> insted > though). > > >> > > > >> > This is a bit tricky with the glyph attack, but certainly > the base > > >> should be > > >> > example.com <http://example.com>. > > >> > > >> Can you use null.example.com <http://null.example.com> and > nu11.example.com <http://nu11.example.com>? > > >> > > > > > That's a little unfortunate from the perspective of this > attack because > > > ..com is a public suffix [0] whereas example.com < > http://example.com> is not. > > > > > -Ekr > > > > > [0] https://publicsuffix.org/ > > > > okay, I'm trying to understand the relevance of this from the point > of an > > example in an RFC. > > > > We need to put the example under example.*, but we can't use > examp1e.com <http://examp1e.com>, > > because it's not an example domain. > > > > Brian suggested the example null vs nu11. > > This is not about super-cookies, etc. and it doesn't suggest any > kind of > > process involving the list of publicsuffixes. > > > > > > The general shape of this kind of attack is that the attacker wants to > impersonate A and so gets a domain with name A' that looks like A. However, > this depends on A' being something the attacker can register. The public > suffix list embodies the concept (more or less) of "anyone can register > here". By contrast, a.example.com <http://a.example.com> is (I assume) > owned by example.com <http://example.com> and so your average attacker > can't do anything with b.example.com <http://b.example.com>. > > However, examp1e.com is 2001:470:1f07:1126::555:1212 or 64.57.183.2 so we > *really* can't use it. examp1e.net is 133.242.206.244 and actually > responds to HTTP. > > You're right that in theory subdomains are unrealistic examples, but does > that > matter for an illustrative example? > Why not instead use two domain names that end in .example? E.g., demo.example and dem0.example -Ekr > Brian > >
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
