Email or username:

Password:

Forgot your password?
Fediverse's posts Post Back to profile
Top-level
Myrion

@inventor I understand the concept of phishing attacks. I understand that they can even be performed against government workers.

This doesn't change the simple fact that admin.ch has been the official domain of the Swiss government for years and that social.admin.ch clearly is from the Swiss government, and that other governments following the same structure of social.well-known.domain is perfectly sensible.

At this point, I'm very confused about what you're even trying to argue, as the article doesn't have a single example mentioning subdomains (frankly, no details at all).

Phishing exists, therefore governments shouldn't be on the fediverse?
Phishing exists, therefore government accounts must be... what? Only from the main domain, because that's somehow safer?

13 Sep 2023 at 19:22 | Wall-to-wall | Open on infosec.exchange
3 comments
Myrion

@inventor to rephrase my argument most clearly:

The Swiss government has been using *.admin.ch for official communication for years.

Phishing attacks pretending to be the Swiss government have happened.

This doesn't make communication from *.admin.ch any less clearly official.

This holds true even when *==social.

13 Sep 2023 at 19:25 | Open on infosec.exchange
Inventor

@myrion
"government accounts must be only from the main domain, because that's somehow safer?"

It can be from any subdomain under a valid root domain. Examples: "социальные.", "с.", "со.", "sociaux.", "sosyal.", "mastodon."... literally anything. Doesn't matter at all.

Only the root domain and certificate matter.

13 Sep 2023 at 19:29 | Open on linuxrocks.online
Myrion

@inventor aha! Then I misunderstood your objection.

I will say that while it's true, I think it's a bit pedantic. The OP wasn't suggesting, afaict, that "social.any.domain" clearly would be official, but that "social.known.domain" would be clearly official, and sensible - in that it's like the ".well-known" directory on a webserver.

Use the known domain, look for the social subdomain and voilà, there's the official social media accounts seems like a useful approach to me.

13 Sep 2023 at 19:34 | Open on infosec.exchange
Go Up