Email or username:

Password:

Forgot your password?
Fediverse's posts Post Back to profile
Top-level
Inventor

@siegi @fediversereport

Are you saying that someone in the government can create a rogue "mastodon.admin.ch"?
What you're saying doesn't make sense. Subdomains are irrelevant. Telling people otherwise will only cause more phishing attacks.
Example: social.govern.ment.eu
People fall for stuff like that. "social." is irrelevant.

13 Sep 2023 at 18:31 | Wall-to-wall | Open on linuxrocks.online
8 comments
Gregory Trolliet

@inventor @siegi @fediversereport I don't understant. As owner of trolliet.info, you mean that anybody can create social.trolliet.info without my conscent and/or knowing?

13 Sep 2023 at 18:34 | Open on mastodon.zaclys.com
Inventor

@Faket @siegi @fediversereport
What I am saying is that you or anyone who is not the government could register any domain similar to a domain that a legit governmental organization uses, i.e. mimic it, and then create a "social." subdomain to lure fools.
Example: social.govern.ment.eu being created by the owner of ment.eu is totally plausible.
It will happen if this idea that "subdomains mean something" takes roots.

13 Sep 2023 at 18:41 | Open on linuxrocks.online
Gregory Trolliet

@inventor @siegi @fediversereport But since the owner/administrator of admin.ch is the government, what better way to certify a new service than to make it a service.admin.ch?

13 Sep 2023 at 18:46 | Open on mastodon.zaclys.com
Inventor

@Faket @siegi @fediversereport
It is already certified by the domain. The subdomain is arbitrary and serves no purpose other than being a name for a service/server/something. The end user must only pay attention to the domain and TLS certificate for the purpose of validation of legitimacy.

13 Sep 2023 at 18:50 | Open on linuxrocks.online
Gregory Trolliet

@inventor @siegi @fediversereport So? Are you saying that doing a social.admin.ch subdomain is a good thing? I don't understand your point TBH.

13 Sep 2023 at 18:51 | Open on mastodon.zaclys.com
Inventor

@Faket @siegi @fediversereport
My point makes reference to this quote from the second post on this thread:
"Following this pattern (social. subdomains) makes it immediately clear to people they are communicating with an official government account."

This is false. Establishing a convention may be a cool idea, but it adds nothing to security or "making anything clear". Subdomains mean nothing in terms of validation of legitimacy.
Root domains and certificates, on the other hand, mean everything.

13 Sep 2023 at 18:57 | Open on linuxrocks.online
Gregory Trolliet replied to Inventor

@inventor @siegi @fediversereport Are you suggesting that it's not better to have a [social|mastodon|toot|whatever].admin.ch than any other random root domain?

13 Sep 2023 at 19:01 | Open on mastodon.zaclys.com
Inventor replied to Gregory

@Faket @siegi @fediversereport It makes no difference.
In fact, now that I think of it, a simple convention about subdomains doesn't make sense either, since many countries speak different languages.

13 Sep 2023 at 19:11 | Open on linuxrocks.online
Go Up