On 23/02/12 00:26, Manger, James H wrote:
Wouldn’t it be better for SSL VPNs to use lots of sub-domains? For
instance, to map internal sites to:
https://a.sslvpn.example.com/webmail
https://b.sslvpn.example.com/wiki/index.html
https://c.sslvpn.example.com/stuff
This would be much better. It would still allow the sites in some
circumstances to maliciously mess with each other's cookies if they chose.
I'm not entirely familiar with VPN technology, but if it were possible
for VPNs everywhere always to use the same domain name for this purpose,
e.g. vpn.example, then we could add *.vpn.example to the Public Suffix
List and get at least some sort of protection between subdomains. Or
even code in "strip off this prefix before doing domain calculations"
support into clients.
Just ideas :-)
Gerv
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
