[Dshield] CNN?

WebMaster at Commerco.Net WebMaster at Commerco.Net
Mon Oct 15 21:18:34 GMT 2007 

M Cook,

Having read both Johannes and Deb's posts, as regards the URL you 
listed below, just be glad the good folks at CNN apparently still use 
their own root CNN.COM domain second level and top level names in 
their links...

Way too often, it seems, you see link setups from reputable sites who 
do not choose to use their own root domain name in links, while 
claiming same in the text for the link they are presenting.  I find 
*that* really frustrating.

I think many of those cases are generally related to sub contracting 
with another company for a specific function (e.g., surveys, 
etc).  If one trusts another company enough to send stuff out on 
one's own behalf (or actually claim to be one's company), then why 
not assign a sub domain in DNS under one's own domain to the other 
company's servers under some contract agreement... Then the other 
company almost unquestionably has the domain holder's authority 
(presuming DNS is not broken) to do whatever it is tasked with.  That 
should not confuse or otherwise disturb the masses who notice such 
things (including me).

While I understand that it is not always easy to do this in more 
complex scenarios (I have run into some related issues to this from 
our own travel site and the core engine supplier during integration), 
I think that companies should at least try to avoid confusing their 
user base in this way.

(Also sorry for my rant.  Hopefully, including a solution with the 
rant helps to temper it).

Best,

Alan
TZ.Com - Travel Zippy

At 12:04 PM 10/15/2007, you wrote:
>Anyone see the mail from CNN about a desktop alerter? It offers a link
>to download it:
>
>Download it now!
>http://downloadpl.cnn.com/cnn/services/alerter/CNNAlerter.exe
>
>But if you hover over it, the link is actually
>
>http://www.access.cnn.com/xyyabbxx_xzenozx.html
>
>Now I realize this is probably innocent, probably just to implement some
>sort of tracking; but don't these folks realize it is the same strategy
>used by phishers (list one URL, hide the real one)? Why don't they just
>say "click here", or make the text match the linked URL. Wouldn't it be
>better if legitimate businesses were straightforward, so only the shady
>ones were sneaky? Plus if they want to be really helpful, they'd put it
>on an HTTPS page, so the certificate could be validated...
>
>(sorry for the rant)
>_________________________________________
>SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>SANS top instructors.  http://www.sans.org/info/9346

More information about the list mailing list