I'm increasingly amazed by the number of banks and other secure services that seem to spread their online services over dozens of differerent domains. Simple put, a domain is one unit of trust, for a variety of reasons, and this is even assumed for security reasons in many applications (cookies and XSS sandboxing spring to mind). It's cheaper, easier, more secure, and visibly more secure to use subdomains than purchase a separate domain to redirect users to for secure services.
Some of the culprits I've come across:
- NatWest (at natwest.com) use nwolb.com for online banking.
- RBS (which owns Natwest) also owns Streamline Direct, a payment gateway. RBS' merchants' customers get redirected onto Streamline Direct (at streamline-esolutions.com) to enter credit card details. Most won't have ever heard of them. But if you did Google for them you'd find them at streamline-direct.co.uk and/or streamline.com.
- Paying for domains online yesterday (at streamline), I was redirected to securesuite.com, ostensibly some Mastercard security thing, and asked to enter my credit card details a second time.
- Barclays' (at barclays.co.uk) runs their payment gateway out of epdq.co.uk
- Play.com hands over to playsecureserver1.com to take card details.
And just to contrast the way it's supposed to work, let's think of a few examples of big sites with secure services:
- Amazon (www.amazon.co.uk) uses https://www.amazon.co.uk.
- If you pay Google for advertising (adwords.google.co.uk), you'll pay at https://adwords.google.co.uk.
- What domain does Paypal (www.paypal.com) use for secure services? https://www.paypal.com/.
It is relatively trivial for a hacker to obtain an SSL cert for an arbitrary domain, but extremely hard to obtain an SSL cert for someone else's domain and then insert his machine into their DNS. Either way, he still has to compromise a web server somewhere to get his machine inserted into the chain, but web servers do get compromised, and he would have to find it beneficial to redirect to a third-party machine rather than set up some credit-card interception on the compromised host, but that's not that hard to imagine either - maybe he can't obtain the requisite privileges, or perhaps it's less traceable to redirect to a different (perhaps also compromised) server.
Maybe I'm just paranoid, but more important than technical security measures are social measures: How can the public be expected to avoid phishing attacks when legitimate services are being given untrusted domains?