IETF Logo Mail Archive

Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

Gervase Markham <gerv@mozilla.org> Thu, 23 February 2012 14:47 UTC

Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F265921F8824 for <websec@ietfa.amsl.com>; Thu, 23 Feb 2012 06:47:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a30YSp60h-2F for <websec@ietfa.amsl.com>; Thu, 23 Feb 2012 06:47:31 -0800 (PST)
Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id 8535F21F8823 for <websec@ietf.org>; Thu, 23 Feb 2012 06:47:31 -0800 (PST)
Received: from [192.168.0.101] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by dm-mail03.mozilla.org (Postfix) with ESMTP id 49A314AEDD1; Thu, 23 Feb 2012 06:47:30 -0800 (PST)
Message-ID: <4F465180.6030807@mozilla.org>
Date: Thu, 23 Feb 2012 14:47:28 +0000
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20120118 Thunderbird/10.0
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com> <C35E9FBD-8AF7-4F63-B798-1316B985E032@checkpoint.com> <255B9BB34FB7D647A506DC292726F6E114EC261141@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114EC261141@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2012 14:47:32 -0000

On 23/02/12 00:26, Manger, James H wrote:
> Wouldn’t it be better for SSL VPNs to use lots of sub-domains? For
> instance, to map internal sites to:
>
> https://a.sslvpn.example.com/webmail
>
> https://b.sslvpn.example.com/wiki/index.html
>
> https://c.sslvpn.example.com/stuff

This would be much better. It would still allow the sites in some 
circumstances to maliciously mess with each other's cookies if they chose.

I'm not entirely familiar with VPN technology, but if it were possible 
for VPNs everywhere always to use the same domain name for this purpose, 
e.g. vpn.example, then we could add *.vpn.example to the Public Suffix 
List and get at least some sort of protection between subdomains. Or 
even code in "strip off this prefix before doing domain calculations" 
support into clients.

Just ideas :-)

Gerv

v2.23.0 | Report a Bug | By Email