The canonical URL for Hacker News is news.ycombinator.com. However, the Arc-based webserver does not check the Host HTTP header, so anyone can set up a DNS address record that points to the server's IP, and you'll get the full, normal Hacker News experience. hackerne.ws is one memorable alternative domain name for Hacker News.
This behavior presents a way to steal logins.
- Set up a new domain, e.g. hkrn.ws
- Point hkrn.ws's A record at 18.104.22.168
- Link to items via that short domain, e.g. hkrn.ws/item?id=2353296. Perfect for twitter!
- Anyone who logs in to comment or vote will remain on your domain
- After a while, change the A record to your own webserver's IP address; display a "Temporarily unavailable" page, or redirect to news.ycombinator.com, or similar
- Collect all login cookies being sent to hkrn.ws
- Go to step 2
There are several ways to mitigate the problem. Here are a few that spring to mind.
- Educate users not to log in unless it's the canonical URL (this is good practice in general, but the existence and use of hackerne.ws suggests people don't always follow it)
- Refuse to respond to requests on anything but the canonical site name, or redirect all non-canonical requests to the canonical host name
- Use HTTPS for the login
- Use HTTPS for everything