undefined | Better HN

0 pointsnox1011y ago0 comments

What about things like cookies, storage, caching, etc.. If my job has `https://testing.internal` and some company I visit also has `https://testing.internal` ...

0 comments

kelnos1y ago

Presumably you don't trust the CA that signed the certificate on the server at the company you're visiting. As long as you heed the certificate error and don't visits the site, you're fine.

thayne1y ago

Now suppose you are a contractor who did some work for company A, then went to do some work for company B, and still have some cookies set from A's internal site.

hsbauauvhabzb1y ago

So we’re back to trusting the user?

0l1y ago

Use HSTS, browsers are specifically designed not to let users bypass these.

1 more reply

fulafel1y ago

Yep, ambiguous addressing doesn't save you, same as 10.x IPv4 networks. And one day you'll need to connect or merge or otherwise coexist with disparate uses if it's a common one (like in .internal and 10.x)...

kevincox1y ago

IPv6 solves this as you are strongly recommend to use a random component at the top of the internal reserved space. So the chance of a collision is quite low.

pas1y ago

there's some list of ULA ranges allocated to organizations, no?

edit: ah, unfortunately it's not really standard, just a grassroots effort https://ungleich.ch/u/projects/ipv6ula/

fulafel1y ago

There's usually little reason to use reserved space vs internet addresses, unless you just want to relive the pain of NAT+IPv4. The exception is if you lack PI space and can't copy with potential renumbering.

1 more reply

viraptor1y ago

Ideally, you use "testing.company-name.internal" for that kind of things. (Especially if you think you'll ever end up interacting at that level)

mrighele1y ago

I would expect ACME to use https://testing.acme.internal, and not just https://testing.internal, that would remove most of the incidental clashes (not malicious ones, of course).

mrkstu1y ago

I'm assuming you wouldn't import their CA as authoritative just to use their wifi...

dudus1y ago

Great question. I think they leak but this happens regardless.

thebeardisred1y ago

May god have mercy on the person using this in their mobile applications.

j / k navigate · click thread line to collapse

0 comments

kelnos1y ago

Presumably you don't trust the CA that signed the certificate on the server at the company you're visiting. As long as you heed the certificate error and don't visits the site, you're fine.

thayne1y ago

Now suppose you are a contractor who did some work for company A, then went to do some work for company B, and still have some cookies set from A's internal site.

hsbauauvhabzb1y ago

So we’re back to trusting the user?

0l1y ago

Use HSTS, browsers are specifically designed not to let users bypass these.

1 more reply

fulafel1y ago

kevincox1y ago

IPv6 solves this as you are strongly recommend to use a random component at the top of the internal reserved space. So the chance of a collision is quite low.

pas1y ago

there's some list of ULA ranges allocated to organizations, no?

edit: ah, unfortunately it's not really standard, just a grassroots effort https://ungleich.ch/u/projects/ipv6ula/

fulafel1y ago

1 more reply

viraptor1y ago

Ideally, you use "testing.company-name.internal" for that kind of things. (Especially if you think you'll ever end up interacting at that level)

mrighele1y ago

I would expect ACME to use https://testing.acme.internal, and not just https://testing.internal, that would remove most of the incidental clashes (not malicious ones, of course).

mrkstu1y ago

I'm assuming you wouldn't import their CA as authoritative just to use their wifi...

dudus1y ago

Great question. I think they leak but this happens regardless.

thebeardisred1y ago

May god have mercy on the person using this in their mobile applications.

j / k navigate · click thread line to collapse