This sounds like a bad idea. You don't want private keys to a production subdoma... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		philip1209 on June 20, 2018 \| parent \| context \| favorite \| on: Certificates for localhost This sounds like a bad idea. You don't want private keys to a production subdomain being handed around teams. For instance, let's say you have dev.mybank.com. Somebody could trivially poison a DNS cache for a local system to redirect to their server, have a valid SSL key on the company domain, and implement a very real-looking phishing website for the company. Another problem - controlling a subdomain could be used to steal login cookies from the main website. This is why Github moved Github Pages to a separate domain: https://blog.github.com/2013-04-09-yummy-cookies-across-doma...

nikanj on June 20, 2018 [–]

A domain you own <-> a production domain.

Our corp has corptech.com and a few similar ones for this purpose. A generic .com costs about nothing, so no point in running anything non-production on your primary domain.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact