On Tue, Jan 13, 2015 at 2:40 AM, Gervase Markham <[email protected]> wrote: > On 12/01/15 19:18, Chris Hartmann wrote: >> 2) a.com forms a business relationship with b.com to perform a >> business function on its behalf (payment processor, blog, whatever). >> The landing page is b.com/a > > Would it not be reasonable to say that, when this sort of relationship > is set up, best practice is to do DNS delegation so that the landing > page is on b.a.com or some other subdomain of a.com? >
Absolutely. However my impression is that isn't the common practice for two parties to integrate at this level consistently. For example a google search can show the organizations that presumably have web presence that is theirs, but how do I _know_ in an undeniable manner that they are a subsidy of their parent domain. https://www.google.com/webhp?#q=imagine+dragons+-site:imaginedragonsmusic.com https://www.google.com/search?q=cnn%20-site%3Acnn.com Yeah we all make conscious cross references here, which can give us a pretty good sense of correlation, and usually guessing wrong isn't catastrophic. Sometimes the third-parties do make efforts to assure users that the landing pages are "verified" as authentic, but that is pretty weak. My argument is that this doesn't have to be hearsay or a manual correlation effort, the user-agent be able to tell us the truth. This might seem trivial and unnecessary which is a valid argument in some cases, but my belief is that this is one of the core properties that makes phishing attempts more murky to end users for the corner cases that matter. This is what I would hope to fix. >> 3) Bob visits b.com/a and notices that the page claims to be >> affiliated and owned by a.com > > ...because then, both the DNS info and the claim would match. > >> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated >> and a delegated service by a.com? (say, prior to submitting sensitive >> information) > > Because the domain used is a subdomain of a.com. > > Gerv _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
