[whatwg] Domain transfer security

Ian Hickson ian at hixie.ch
Wed Aug 29 15:05:35 PDT 2012

On Tue, 12 Jun 2012, Simon Brown wrote:
> I have thought of a possible security problem that may be reduced with a 
> change to the specifications (though I'm not sure exactly how).
> 1. An attacker has control of a popular site.
> 2. The attacker buys a valuable domain.
> 3. The attacker creates a page on the site that sends all
> cookies/localstorage/etc. to their site.
> 4. The attacker enables caching the page with appcache.
> 5. The attacker embeds the page in a small iframe on the popular site,
> so that anyone visiting the popular site has the page cached.
> 6. The attacker sells the domain on.
> 7. The popular site continues to receive traffic, and people who
> regularly visit both sites have their session/data/etc. on the new site
> compromised.
> I guess one possible solution would be to allow SSL sites to specify 
> through a header that only appcaches from certain public keys to be 
> carried over, though this seems quite complicated and wouldn't work for 
> the majority of websites.

The new domain just has to return 404 for the old manifest for the cache 
to be blown away as soon as the user loads the cache. It's unlikely that 
many, if any, caches would survive long enough for the user to enter 
credentials in a way that would enable an attack, as far as I can tell.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list