Monday, February 12, 2007

bad security assumption

Good assumption:
My domain (DNS) name is not safe from forgery. Bad people might "hijack" it and use it to pretend they are me.

Bad assumption:
If my domain name is hijacked or spoofed, then I lose control of all the subdomains too. This means that if someone else pretends to be then they will also take control over, and

Bad: DNS spoofing is done on the record level, and since each subdomain happens to be a different record, an attacker might control one subdomain and let you retain control over the rest.

Consequence of this: The same-origin policy enforced by most browsers says this: scripts served by one host cannot access, execute or change data served by another host. In this case and are considered different hosts.

There is one exception to the rule: a website may change its "document.domain" property to a suffix of what it currently might be. For example, a page served by may set its domain to AFTER it is served. In this case, can play with's data.

Your data is no longer safe, unless you control all of your subdomains. The case used to be simpler: a phisher or pharmer must create a complete duplicate of a site to fool with it. Now, he just creates a parasite frame, and watches you interact with the real thing. Beware of visiting


(Link to Abe Fettig's explanation)
(Link to Same-Origin Policy info)

No comments: