Comment by bilekas

Comment by bilekas 3 hours ago

3 replies

View on Hacker News

Maybe I'm missing something but you can't separate you're session and authentication with a different subdomain? Eg. My session on corp.paypal.com would be locked down to solely corp.paypal.com.

From a practical sense, what different does a subdomain and a dedicated domain offer if you're managing your certs correctly?

SahAssar 2 hours ago

You can, but a lot of people lack the discipline to do so correctly. I'd prefer them to use corp.paypal.com, but as a security guy it's easier to just get them a separate domain and let them have their less-secured stuff completely isolated.

Reply View 0 replies
c0balt 2 hours ago

You can, but is difficult and prone to errors. Separate domains solve the root cause of the issue. The alternative is an entry on the public suffix list.

Reply View 0 replies
[removed] 3 hours ago
[deleted]
Reply View 0 replies