Email or username:

Password:

Forgot your password?
Fediverse's posts Post Back to profile
Top-level
Myrion

@inventor how so? In the Swiss example, the govt controls admin.ch, and no-one else can create those subdomains. Sure, it could be a rogue sysadmin, but that would get discovered and shut down quickly.

Anything from *.admin.ch has official character.

13 Sep 2023 at 18:14 | Wall-to-wall | Open on infosec.exchange
7 comments
Inventor

@myrion
Are you saying that someone in the government can create a rogue "mastodon.admin.ch"?
What you're saying doesn't make sense. Subdomains are irrelevant. Telling people otherwise will only cause more phishing attacks.
Example: social.govern.ment.eu
People fall for stuff like that. "social." is irrelevant.

13 Sep 2023 at 18:26 | Open on linuxrocks.online
Myrion

@inventor I'm saying that's the only way I can see someone getting a *.admin.ch subdomain without it being official, yes.

I don't think it's likely to happen.

And no, I'm not worried about someone creating social.ad.min.ch (if I'm understanding your examples correctly) to confuse people. It would have happened long ago already, since the Swiss government has been using admin.ch for years now for official communications.

13 Sep 2023 at 19:02 | Open on infosec.exchange
Inventor
Myrion

@inventor I understand the concept of phishing attacks. I understand that they can even be performed against government workers.

This doesn't change the simple fact that admin.ch has been the official domain of the Swiss government for years and that social.admin.ch clearly is from the Swiss government, and that other governments following the same structure of social.well-known.domain is perfectly sensible.

At this point, I'm very confused about what you're even trying to argue, as the article doesn't have a single example mentioning subdomains (frankly, no details at all).

Phishing exists, therefore governments shouldn't be on the fediverse?
Phishing exists, therefore government accounts must be... what? Only from the main domain, because that's somehow safer?

@inventor I understand the concept of phishing attacks. I understand that they can even be performed against government workers.

This doesn't change the simple fact that admin.ch has been the official domain of the Swiss government for years and that social.admin.ch clearly is from the Swiss government, and that other governments following the same structure of social.well-known.domain is perfectly sensible.

13 Sep 2023 at 19:22 | Open on infosec.exchange
Myrion

@inventor to rephrase my argument most clearly:

The Swiss government has been using *.admin.ch for official communication for years.

Phishing attacks pretending to be the Swiss government have happened.

This doesn't make communication from *.admin.ch any less clearly official.

This holds true even when *==social.

13 Sep 2023 at 19:25 | Open on infosec.exchange
Inventor

@myrion
"government accounts must be only from the main domain, because that's somehow safer?"

It can be from any subdomain under a valid root domain. Examples: "социальные.", "с.", "со.", "sociaux.", "sosyal.", "mastodon."... literally anything. Doesn't matter at all.

Only the root domain and certificate matter.

13 Sep 2023 at 19:29 | Open on linuxrocks.online
Myrion

@inventor aha! Then I misunderstood your objection.

I will say that while it's true, I think it's a bit pedantic. The OP wasn't suggesting, afaict, that "social.any.domain" clearly would be official, but that "social.known.domain" would be clearly official, and sensible - in that it's like the ".well-known" directory on a webserver.

Use the known domain, look for the social subdomain and voilà, there's the official social media accounts seems like a useful approach to me.

13 Sep 2023 at 19:34 | Open on infosec.exchange
Go Up