Ask HN: Why do most platforms have the same host pattern?
A lot of platforms like fly.io, Heroku, vercel, etc. have more or less the same simple host pattern. The pattern seems to be:
{random-string}{domain}
Some reasons are obvious like:1. Using the same subdomain allows for a single wildcard cert 2. The random string label probably helps to avoid collisions, protect privacy, security, etc.
What other reasons would this common pattern be used?
4 comments
[ 32.9 ms ] story [ 243 ms ] threadLaziness. Some of the higher-end platforms create customer specific sub-domains and use sub-domain wildcards once that customer is in a particular revenue bracket.
The pattern you mention has gotten many AWS and related platform customers into trouble from sub-domain take-over as humans are good at creating things and quite bad at de-provisioning things despite automation. There are some bug-bounty folks that spend their entire time looking for sub-domain take-over opportunities and I hear it can be quite lucrative.
As long as subdomain is random and never reused (pretty simple to do if you incorporate some sort of timestamp in the name generation algorithm) then the takeover is impossible. This is another good reason to generate random subdomain part.
Another note: we use `on-aptible.com` for our hosted app domains, separate from `aptible.com` for an important security reason: it is a second line of defense in avoiding cookie/CORS attacks (the first line of defense being setting cookies we control in a single subdomain and avoiding wildcards for CORS).
A related important measure for a PaaS using a single domain for subdomains owned by different accounts is to register that domain on the Public Suffix List [0], which prevents "supercookies" being set across these separately-owned subdomains.
[0] https://publicsuffix.org/