home.social

#subdomains — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #subdomains, aggregated by home.social.

  1. @ScottHelme wrote: "The change I referred to prevents arbitrary sibling/parent-domain abuse […]"

    I'm not sure if you're referring to the possible match on
    "evil-example.com" (see screenshot) in the old code, but if I remember correctly (from my analysis approx. 3 years ago), the client will only accept an exact match of "example.com" or
    "<whatever_including_dots>.example.com".

    So albeit ugly, the old server code should not pose a risk I guess?

    W.r.t. unexpected abuse of valid subdomains (*): my worry is that people will use your code for their site without modification, never considering the risk I described.

    (*) Or malicious JS (3rd party or XSS) on the main domain - while WebAuthn handling was supposed to take place only on e.g. "login.example.com" (using a dedicated subdomain may be a good idea like Dirk Balfanz wrote).

    Since your site appears to be using passkeys as an additional factor, the users of your site may not be at risk. However, the idea of passkeys was to "go passwordless", something that other users of your code will probably embrace.

    I haven't scanned all of your code, but if not present, my advice is to at least add a warning for unexpected WebAuthn processing on a subdomain (or even the main domain).

    #Passkeys #RPID #SubDomains #WebAuthn

  2. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  3. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  4. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  5. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  6. Ah yes, the classic tale of a college freshman who thinks they've discovered the Holy Grail of tech hacks: #subdomains on a campus network. 🤦‍♂️ Of course, turning this "revelation" into a grand scheme to control every projector and camera on campus is just one #DNS record short of a Hollywood blockbuster. 🎬💻
    edna.land/blogs/posts/scanning/ #techhacks #collegefreshman #cybersecurity #campuslife #HackerNews #ngated

  7. I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.

    #domains #subdomains #web #onlinelife

  8. I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.

    #domains #subdomains #web #onlinelife

  9. I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.

    #domains #subdomains #web #onlinelife

  10. I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.

    #domains #subdomains #web #onlinelife

  11. I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.

    #domains #subdomains #web #onlinelife

  12. How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?

    #AskFedi #Domains #Subdomains #Redirects

  13. How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?

    #AskFedi #Domains #Subdomains #Redirects

  14. How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?

    #AskFedi #Domains #Subdomains #Redirects

  15. How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?

    #AskFedi #Domains #Subdomains #Redirects

  16. How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?

    #AskFedi #Domains #Subdomains #Redirects

  17. Subdomain enumeration is an essential OSINT technique. Amass and Subfinder are well-known enumeration tools, but they have limitations. Explore this comprehensive database with over 200 sources.

    osintteam.com/passive-subdomai

    #OSINT #Subdomains #Domains #DNS #enumeration

  18. Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before?
  19. Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before?
  20. Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before?
  21. Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before?
  22. Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before?
  23. @[email protected]

    I originally named my
    #server with the intention of setting up sub #domains for other #social sites.

    Right now I only have
    #subdomains for #VPS instances with #databases and other side projects.

  24. I cannot connect to one of my #subdomains. I have added the #CNAME pointing to my parent #domain. But the subdomain gives an error when I #ping it.
    Error:
    ping: subdomain.domain.tld: Name or service not known


    What am I missing? I have never had this before.
  25. I cannot connect to one of my #subdomains. I have added the #CNAME pointing to my parent #domain. But the subdomain gives an error when I #ping it.
    Error:
    ping: subdomain.domain.tld: Name or service not known


    What am I missing? I have never had this before.