TLDs and file extensions (Re: DNS and potential energy)

Jean-François Mezei jfmezei at vaxination.ca
Tue Jul 1 16:44:45 CDT 2008


David Conrad wrote:

> People keep making the assertion that top-level domains that have the  
> same strings as popular file extensions will be a 'security disaster'


Microsoft, in its infinite wisdom and desire to not abide by standards
it has not set decided that instead of relying on the Mime type (content
type:) field in the HTTP response to determine how this particular
content should be rendered,, it would look at the letters following the
last dot in the URL.

There were many viruses which were transmitted this way, with URLs
ending in .EXE which meant that Microsoft blindly executed the contents
fed over the web. Often, the content type: field would point to a
image/jpeg type and standards compliant browsers would simply handle
this as a picture with invalid contents.

I am now sure if Microsoft continues to based data type decisions on
what it interprets as a file extension in a URL or not. But it should
not stop the world from moving on because to those who abide by
standards, such things are not a problem.

However, the issue of http://museum/ is an interesting one. This may
affect certain sites who would have to ensure their resolver firsts
tests a single node name and only add the local domain name if the first
test failed. There may be sites/systems that just automatically tag on
the domain name if they just see what looks like a node name.




More information about the NANOG mailing list