Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why do most platforms have the same host pattern?
3 points by thesurlydev on April 14, 2023 | hide | past | favorite | 4 comments
A lot of platforms like fly.io, Heroku, vercel, etc. have more or less the same simple host pattern. The pattern seems to be:

  {random-string}{___domain}
Some reasons are obvious like:

1. Using the same subdomain allows for a single wildcard cert 2. The random string label probably helps to avoid collisions, protect privacy, security, etc.

What other reasons would this common pattern be used?




I work at Aptible, another PaaS that follows the same host pattern you describe for providing one-off addresses when someone doesn't want to bring their own ___domain. The reasons you stated are both valid, along with the fact that a single ___domain means we don't need to _register_ new domains for every customer app.

Another note: we use `on-aptible.com` for our hosted app domains, separate from `aptible.com` for an important security reason: it is a second line of defense in avoiding cookie/CORS attacks (the first line of defense being setting cookies we control in a single subdomain and avoiding wildcards for CORS).

A related important measure for a PaaS using a single ___domain for subdomains owned by different accounts is to register that ___domain on the Public Suffix List [0], which prevents "supercookies" being set across these separately-owned subdomains.

[0] https://publicsuffix.org/


What other reasons would this common pattern be used?

Laziness. Some of the higher-end platforms create customer specific sub-domains and use sub-___domain wildcards once that customer is in a particular revenue bracket.

The pattern you mention has gotten many AWS and related platform customers into trouble from sub-___domain take-over as humans are good at creating things and quite bad at de-provisioning things despite automation. There are some bug-bounty folks that spend their entire time looking for sub-___domain take-over opportunities and I hear it can be quite lucrative.


Domain takeover is only possible if the subdomain is user-specifiable, like with AWS S3.

As long as subdomain is random and never reused (pretty simple to do if you incorporate some sort of timestamp in the name generation algorithm) then the takeover is impossible. This is another good reason to generate random subdomain part.


From the top of my head, using the same ___domain means cookies can be shared across a ___domain if you set them to be able to do that but you can't do that across multiple domains




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: