[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Kristof Zelechovski giecrilj at stegny.2a.pl
Tue Sep 30 08:12:27 PDT 2008

I am afraid we are going in circles here.  You suggested that the embedded
content should be stored on the server that provides the interface.  Now you
explain how it can be stored on the media provider's server.  That is
nothing new - except that it has nothing to do with your original position.

-----Original Message-----
From: Elliotte Harold [mailto:elharo at metalab.unc.edu] 
Sent: Tuesday, September 30, 2008 5:03 PM
To: Kristof Zelechovski
Cc: 'WHAT WG List'
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent to
the current web

Kristof Zelechovski wrote:
> If you set up a mirror with the same host name as the content provider
> you will probably get sued for identity theft, cybersquatting, forgery or
> whatever.

No, only the content provider (really the domain name owner) can set up 
these mirrors. This is nothing new. This is how the web and DNS work 
*today*. Many high volume sites such as www.google.com, www.amazon.com, 
www.nytimes.com, and so forth--send you to different physical boxes 
depending on where you're connecting from. These boxes are usually 
chosen to be close to the end user. For instance, a reader on the east 
Coast might get www.nytimes.com in New York but one on the West Coast 
might get a box in Los Angeles. A reader in Japan might get a box in 
Japan.  (I don't know if this is actually how the NYT seets up its 
servers or not. Some tracerouting from different locations might find 
out quickly.)

Large content providers already move their content closer to the end 
user. They do this by physically locating boxes with the same host name 
and fancy DNS and router tricks. The details are complex, which is why 
CCNAs get the big bucks. But they do not do this by linking to 3rd party 

Elliotte Rusty Harold  elharo at metalab.unc.edu
Refactoring HTML Just Published!

More information about the whatwg mailing list