On Thu, Apr 11, 2013 at 6:32 PM, Michal Zalewski <lcam...@coredump.cx> wrote: > This is fairly well-known, I think; for example, there's a mention of this > here (search for appspot.com): > > http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html
Yes, the idea of such DoS technique is not new, but I've never seen it discussed in a context of CDNs. The impact of the attack against blogging platform is limited compared to the impact of the attack against a popular CDN that many sites depend on. Yet, blogspot.com is on the Public Suffix List, but no CDNs are there (excluding Amazon's that was recently added). And CDNs are much easier to protect than applications like Blogger, you don't need to redesign authentication mechanism, the suffix domain is already cookieless. So I think it is worth writing about the issue to encourage more CDN providers to add their domains to the PSL. BTW. I've added a link to your post. Thanks, Jan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/