Hacker News new | past | comments | ask | show | jobs | submit login

DNS aside, Name.com is one of the only registrars I know of with reasonable security practices.

They support two-factor auth (almost no one else does), and have nicely scoped cookies (HTTP only, Secure flag, etc.).




The irony is that their actions can in fact make cookies their customers are using for their sites invulnerable.


I don't understand what you are saying ? Is it that there is a security issue arising from the DNS hijacking ? If so what's the issue ?


Say you set a session cookie that spans multiple subdomains (cookie domain = `.example.com`).

Now, if one of your authenticated users visits the wrong subdomain, they are directed to a server of name.com's choice.

That server now has access to your user's session ID (using Javascript or PHP or whatever to read the cookie).


invulnerable? You mean "vulnerable", right?


Yeah, I meant vulnerable. My bad. :-)

Thanks for the correction.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: