Hacker Newsnew | past | comments | ask | show | jobs | submit | patrickmcmanus's commentslogin

The IETF WG DBOUND tried to find a better solution to this problem and did not reach any consensus. fwiw.

https://datatracker.ietf.org/wg/dbound/about/

The current way most of this is handled is via a list published at publicsuffix.org (commonly known as the "Public Suffix List" or "PSL"), and the general goal is to accommodate anything people are using that for today. However, there are broadly speaking two use patterns. The first is a "top ancestor organization" case. In this case, the goal is to find a single superordinate name in the DNS tree that can properly make assertions about the policies and procedures of subordinate names. The second is to determine, given two different names, whether they are governed by the same administrative authority. The goal of the DBOUND working group is to develop a unified solution, if possible, for determining organizational domain boundaries. However, the working group may discover that the use cases require different solutions. Should that happen, the working group will develop those different solutions, using as many common pieces as it can.


a 1 yen coin has a mass of 1 gram - which can be handy for measuring stuff.


absolutely! and some eTLDs are preloaded (like .dev) already and that of course applies to the domains registered in them - which is a nice property.


you're thinking of an exploit in spdy (the h2 predecessor) in which the headers were just run through the same gzip context. The HPACK format in h2 and h3 is meant to remove those oracles. (though it is less effective bytewise than gzip).


protecting against the zero-bound is the value - that's not a scam. As the ratio of potential loss to net worth drops, that's less interesting and so is the insurance.

Varying levels of deductible choices hard code this notion even further into the system. If you're farther from zero-bound worries you can essentially buy less insurance with a high deductible.


I think we'll see some DNS version of alt-svc that doesn't require TCP to bootstrap.. see httpssvc and svcb


websockets is carried on TCP. Often bootrstapped on HTTPS tcp/443.


preamble of chunk length and 1 bit for end-of-message indicator.. if you only do chunk length you will eventually find you can't stream but want to.

or just use http.


the author is writing, in that section, about blind (i.e. off path) attacks. Given the attacker in that model is off-path they don't see the challenge ack.


QUIC is considerably more resilient than TCP to RST attacks because it authenticates the transport itself once the handshake is complete.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: