Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
milkshakes 6 days ago

what percentage of the online population do you expect to understand this?

greengreengrass 6 days ago | parent | next [-]

I have often wondered why we don’t see more usage of the brand gTLDs, which many of these big firms own. I muse that this is (part of) the reason why – there simply isn’t the understanding or recognition outside tech circles (or even within tech circles) to comprehend that it is possible to use such a gTLD without a conventional .com or similar suffix tacked on the end. I tend to see it localised to use for marketing micro sites that do not ask for credentials so have no need to establish user trust, or occasionally internal technical uses that will never touch the typical customer’s eyeballs.

The other reason I hypothesise is that corporate big brother snooping systems that have whitelists for their trusted services – with entries like mail.google.com or calendar.google.com – are simply too painful at this point for big tech to break for their customers by dropping the .com suffix, so big tech doesn’t bother.

No hard data on any of that, though.

Thorrez 6 days ago | parent [-]

I don't think you can put cookies on a TLD. So if Google used mail.google and calendar.google , the login system would be more complex, because they can't share cookies.

arghwhat 6 days ago | parent [-]

Modern auth systems do not work by exposing multiple services on a single domain with shared cookies.

Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain.

Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why.

Thorrez 6 days ago | parent | next [-]

Some modern auth systems. Not all.

I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies.

6 days ago | parent | prev [-]
[deleted]
Thorrez 6 days ago | parent | prev | next [-]

Yeah, it does make things more difficult in terms of teaching people a simple rule. Instead of "ends with @<company>.com", the rule is "ends with @<company>.com or .<company>".

OTOH, there were probably a lot of places already violating the "ends with @<company>.com" rule, e.g. by using subdomains, or even other domains. So very little of the online population was likely using the rule. And with email spoofing, even "ends with @<company>.com" can't be relied on to ensure the email is legit. So the rule of "don't click links in emails" is the only foolproof rule. Though you also need to add "don't copy and paste things from emails".

arghwhat 6 days ago | parent [-]

Yay for third-party email services that From: be a no-reply address from an entirely different company (and therefore only authenticity validation for that company), and a Reply-To: to some obscure mailbox from the supposed sender. I'm sure that makes perfect sense to most people.

> So the rule of "don't click links in emails" is the only foolproof rule.

The only truly foolproof rule is "don't open emails". Also helps a lot on mental health and associated expenditures!

r_lee 6 days ago | parent | prev [-]

legit.

I could imagine something like x-mucrosoft.email etc. being used and the users would just be like well there was email.microsoft so same thing!