Comment by ghssds - Hacker Neue

ghssds Dec 13, 2025 parent

> The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us

This would not be an issue if RFC 1480 had been taken seriously.

thih9 Dec 13, 2025

Too many edge cases, some would still be exploitable. Eg if the real address was:

    Sheriff.CI.Jacksonville.FL.US

Malicious actors could register:

    Sheriff.Jacksonville.FL.US

Unless your solution is to add some verification step as part of .us registrations.

marcianx Dec 13, 2025

Can people register a subdomain of fl.us willy-nilly though? Isn't the root domain owned by the state?

valleyer Dec 13, 2025

From the RFC (note the "or businesses"):

   Name Space Within States:
   ------------------------

   "locality" - cities, counties, parishes, and townships.  Subdomains
   under the "locality" would be like CI.<city>.<state>.US,
   CO.<county>.<state>.US, or businesses. For example:
   Petville.Marvista.CA.US.

   "CI" - This branch is used for city government agencies and is a
   subdomain under the "locality" name (like Los Angeles). For example:
   Fire-Dept.CI.Los-Angeles.CA.US.

So you'd be counting on the sub-registrar of jacksonville.fl.us not to allow a registration for the fraudulent "business" of Sheriff, Inc. -- multiplied by every municipality across the country.

Etheryte Dec 13, 2025

Many top-level TLDs have requirements you need to fulfill, .edu is a good example. Similarly you need to prove you're a local entity for many country-specific TLDs. At the end of the day though, this attack vector will always be there, no matter how diligent you are about it. Phishing is all about numbers and one in is often all you need.

monerozcash Dec 13, 2025

Wouldn't make any difference, you'd just hack one email at any random sheriff department in the country. Or pay $5 for one, anyway.

This item has no comments currently.