Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because my passwords for google.com, gmail.com, youtube.com, and google.co.uk are exactly the same, and the browser has no way of knowing that that's okay.

(Google specifically has probably rerouted everything through google.com these days, but the general problem exists.)



Its a real problem, in the new anti-phishing protocols (U2F/UAF) have some ideas.

The Web Origin Concept - https://tools.ietf.org/html/rfc6454

The also require the server to provide a list of Origins that are valid for the protocol, if the domain your logging into is not in the list, the challenge of the server will not be signed. Its called AppID in the protocol.

See: https://fidoalliance.org/download/


I have this exact problem with LastPass. One of my few pain points with it.


You can define equivalent domains in LastPass to solve that.


Yes!!! Thank you!!!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: