Hacker News new | past | comments | ask | show | jobs | submit login

I was talking about the ".well-known/browserid file being changed to something else" attack, #2.



Ah, sorry for the confusion then. I have to say, an attacker who can change random files on the server can do all sorts of naughty things. Serve evil javascript libs? Change server configuration? Insert her own TLS cert? Check, check, check. Why would .well-known stuff be any different?

For those who do have problem with this, I guess I see why they want DNS SRV, but I can also see why the "plain DNS" complaints sidetracked this functionality.


Well, it's not necessarily that. For example, my website serves an authority delegation file (https://stavros.io/.well-known/browserid) which I really don't want an attacker to mess with. Serving JS libs/changing the config/etc wouldn't get them anywhere, unless they could change that single file.

Since there are some ways to protect from that (I think the two I proposed above are reasonable), Mozilla probably should think about implementing it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: