21 comments

[ 3.1 ms ] story [ 53.8 ms ] thread
I would save yourself the trouble and create a separate domain now for customer subdomains. The problem with your current path is that it is impossible to tell the difference between a 7sheep.net subdomain that is owned and operated by 7sheep and a subdomain that is owned and operated by a 3rd party.

For example, training.7sheep.net is an official subdomain, but I could create docs.7sheep.net and make it look like an official subdomain and request peoples account information or do other bad things. GitHub ran into the same problem when they started supporting GitHub pages. Originally these were subdomains off of github.com, but after all the spoofing and other issues they moved them all to github.io. This way you never need to create a list of 'reserved' names and don't need to worry about confusion down the road.

You can read about GitHub's transition and reasoning at https://github.com/blog/1452-new-github-pages-domain-github-....

Frankly, I use Github almost every day, and I had no idea of the .com/.io distinction; if I saw a docs.github.io URL, I'd probably assume it was just an alternative domain.

The separate domain is a good advice, but I'd rather use something really different (e.g. github-user.com) if I was to let anyone post anything they wanted there.

> Frankly, I use Github almost every day, and I had no idea of the .com/.io distinction;

Neither did I; but a browser does make the distinction. It is a security separation.

Sure, and that's obviously useful, but it doesn't help with social engineering. If the site had a copy of the login page, I can see many people falling for it.
Wouldn't you still need to do a combination of filtering and manual moderation even with a subdomain? What would stop someone from creating something like 'login.7sheep.io'? If you are spoofing a domain, you probably aren't too concerned with what the TLD is and are counting on people to glance over it.
> GitHub ran into the same problem when they started supporting GitHub pages.

I think this passage is the main reason for the GitHub switch: «Because Pages sites may include custom JavaScript and were hosted on github.com subdomains, it was possible to write (but not read) github.com domain cookies»

This is well know cookie security problem: if you have live at x.example.co.uk you can set cookies for example.co.uk and co.uk itself. This is usually evident in organizations like universities that let their departments have their own subdomains run by different software. Usually the root domain contains dozens of unrelated cookies.

Mozilla is addressing this with the public suffix list [1], but I think a more solid solution is needed.

[1] https://publicsuffix.org/

bunkat is right, a blacklist approach is doomed to fail.

Amusingly, you missed "www" off your blacklist. I just created an account to test it. Luckily it hasn't hijacked your main site - but I also can't use my account :)

saw it ;-) and is fixed. just send you an email with the changed account name.

sometimes you can't see the wood for the trees …

The separation of domain names is a very good idea. Thanks for pointing that out.
Just to let you know that your feature section is really bad :( I was really interested in knowing what you offer best, but I lost track of the ones I already clicked and.. it's boring to click so much.

Sometimes a scrolling page just works :)

yep, we are working on this …
Just to let you know that your feature section is really bad :( I was really interested in knowing what you offer best, but I lost track of the ones I already clicked and.. it's boring to click so much.

Sometimes a scrolling page just works :)

What exactly did you try to google? "username blacklist" brings up some pretty good results for me. [1] It's also worth searching github for similar blacklists. [2][3][4][5]

Overall, I'd advise against giving subdomains to users, too.

[1] http://www.quora.com/How-do-sites-prevent-vanity-URLs-from-c... [2] https://encrypted.google.com/search?hl=en&q=search%20github%... [3] https://github.com/nccgroup/typofinder/blob/f0fe2ac4e5181746... [4] https://github.com/sandeepshetty/subdomain-blacklist/blob/ma... [5] https://gist.github.com/artgon/5366868

May I ask why github is blacklisted - what if github wants to sign up? I think git should be added to the blacklist however, maybe you got the 2 mixed up?
It may also be worth using a profanity filter - in multiple languages.

Or, depending on volume, having manual validation of names.

Do you really want porn.7sheep.net?

this is what we currently do. we review account names and get in touch with the users if necesary.
There's just too many you haven't thought of:

login promotion promo secure legal terms bonus free contact

Or how about mispellings good for phishing?

biling biIIing

etc etc

It's a noble effort, but malicious actors will always be more imaginative than you. Think about Unicode characters - there are all sorts of glyphs that look the same as, say, the 'c' in 'accounts' when presented in a user's address bar.

Pay very great heed to the people advising a separate domain for user generated names.

Why do users need their own subdomains at all?