On Wed, 10 Jan 2018 15:10:41 +0100 Patrick Figel via dev-security-policy <[email protected]> wrote:
> A user on Hacker News brought up the possibility that the fairly > popular DirectAdmin control panel might also demonstrate the > problematic behaviour mentioned in your report[1]. Although arguably tangential to the purpose of m.d.s.policy, I think it would be really valuable to understand what behaviours are actually out there and in what sort of volumes. I know from personal experience that my own popular host lets me create web hosting for a 2LD I don't actually control. I had management agreement to take control, began setting up the web site and then technical inertia meant control over the name was never actually transferred, the site is still there but obviously in that case needs an /etc/hosts override to visit from a normal web browser. Would that host: * Let me do this even if another of their customers was hosting that exact site ? If so, would mine sometimes "win" over theirs, perhaps if they temporarily disabled access or due to some third criteria like our usernames or seniority of account age ? * Let me do this for sub-domains or sub-sub-domains of other customers, including perhaps ones which have a wildcard DNS entry so that "my" site would actually get served to ordinary users ? * Let me do this for DNS names that can't exist (like *.acme.invalid, leading to the Let's Encrypt issue we started discussing) ? I don't know the answer to any of those questions, but I think that even if they're tangential to m.d.s.policy somebody needs to find out, and not just for the company I happen to use. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
