tags:

views:

217

answers:

1
+1  Q: 

What are potential issues with allowing clients to have CNAME / DNS Masking support in a web application?

Our company develops a web application that other companies can license. Typically, our application runs on:

www.company.example

And a client's version of the application is run on:

client.company.example

Usually, a client runs their own site at:

www.client.example

Sometimes, clients request to have their version of the application available from:

application.client.example

This kind of setup is often seen with blogs (Wordpress, Blogger, Kickapps).

Technically, achieving this "DNS Masking" with a CNAME/A Record and some application configuration is straightforward. I've thought out some potential issues related to this, however, and wonder if you can think of any others that I've missed:

1) Traffic statistics (as measured by external providers, e.g., compete.com) will be lower since the traffic for company.example won't include that of application.client.example. (Local stats would not be affected, of course)

2) Potential cookie disclosure from application.client.example to company.example. If the client is setting cookies at .client.example, those cookies could be read by the company.example server.

3) Email Spoofing. Email could be sent from company.example with the domain application.client.example, possibly causing problems with spam blacklisting due to incompatible SPF records.

Thanks for any thoughts on this.

A: 

CNAME has been widely used for so long, especially by hosting companies. There are no major issues.

The biggest problem for us is when you have to use HTTPS. It's very difficult to support multiple CNAMEs on the same server. We use aliases in certificate (SAN extension). We have to get a new cert every time a new CNAME is added in DNS. Other than that, everything works great for us.

As to the issues you mentioned,

  1. This should be an advantage. It's a lot easier to combine the stats than to separate them. So we prefer granular reports.
  2. Cookies are not shared between domains, even if they are on the same IP. As long as apps are properly sandboxed on the server, they can't read each other's cookie.
  3. You should rate-limit your own outgoing SMTP traffic on the server end so you don't get blacklisted.
ZZ Coder  2009-11-05 12:36:04
Thanks ZZ Coder. I like the idea of using a Subject Alternative Name (SAN) SSL Certificate to handle multiple names at the SSL certificate level rather than doing individual certs and a lot of extra web server administration.Regarding your points:1) The thought is that external people who are looking into our company using sites like Compete.com won't see an accurate view of our traffic so we have a business concern.2) Correct. It would only be a problem with cookies set at .client.example (not client.example), but I admit that's not too common a usage.3) Good idea.Thanks again.
Paul Burney  2009-11-06 17:33:05

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security