

Account Names Blacklist - mikeseeh
https://blog.7sheep.net/blog/2014/08/18/account-names-blacklist

======
bunkat
I would save yourself the trouble and create a separate domain now for
customer subdomains. The problem with your current path is that it is
impossible to tell the difference between a 7sheep.net subdomain that is owned
and operated by 7sheep and a subdomain that is owned and operated by a 3rd
party.

For example, training.7sheep.net is an official subdomain, but I could create
docs.7sheep.net and make it look like an official subdomain and request
peoples account information or do other bad things. GitHub ran into the same
problem when they started supporting GitHub pages. Originally these were
subdomains off of github.com, but after all the spoofing and other issues they
moved them all to github.io. This way you never need to create a list of
'reserved' names and don't need to worry about confusion down the road.

You can read about GitHub's transition and reasoning at
[https://github.com/blog/1452-new-github-pages-domain-
github-...](https://github.com/blog/1452-new-github-pages-domain-github-io).

~~~
icebraining
Frankly, I use Github almost every day, and I had no idea of the .com/.io
distinction; if I saw a docs.github.io URL, I'd probably assume it was just an
alternative domain.

The separate domain is a good advice, but I'd rather use something _really_
different (e.g. github-user.com) if I was to let anyone post anything they
wanted there.

~~~
SideburnsOfDoom
> Frankly, I use Github almost every day, and I had no idea of the .com/.io
> distinction;

Neither did I; but a browser does make the distinction. It is a security
separation.

~~~
icebraining
Sure, and that's obviously useful, but it doesn't help with social
engineering. If the site had a copy of the login page, I can see many people
falling for it.

------
addandsubtract
What exactly did you try to google? "username blacklist" brings up some pretty
good results for me. [1] It's also worth searching github for similar
blacklists. [2][3][4][5]

Overall, I'd advise against giving subdomains to users, too.

[1] [http://www.quora.com/How-do-sites-prevent-vanity-URLs-
from-c...](http://www.quora.com/How-do-sites-prevent-vanity-URLs-from-
colliding-with-future-features) [2]
[https://encrypted.google.com/search?hl=en&q=search%20github%...](https://encrypted.google.com/search?hl=en&q=search%20github%20by%20filename#hl=en&q=subdomain+blacklist.txt+site:github.com)
[3]
[https://github.com/nccgroup/typofinder/blob/f0fe2ac4e5181746...](https://github.com/nccgroup/typofinder/blob/f0fe2ac4e5181746cf85412c39333be8a83f7896/TypoMagic/datasources/subdomains.txt)
[4] [https://github.com/sandeepshetty/subdomain-
blacklist/blob/ma...](https://github.com/sandeepshetty/subdomain-
blacklist/blob/master/subdomain-blacklist.txt) [5]
[https://gist.github.com/artgon/5366868](https://gist.github.com/artgon/5366868)

------
mikeseeh
The separation of domain names is a very good idea. Thanks for pointing that
out.

------
TomGullen
There's just too many you haven't thought of:

login promotion promo secure legal terms bonus free contact

Or how about mispellings good for phishing?

biling biIIing

etc etc

~~~
stevewillows
social.7sheep.net is also available.

------
eponeponepon
It's a noble effort, but malicious actors will always be more imaginative than
you. Think about Unicode characters - there are all sorts of glyphs that
_look_ the same as, say, the 'c' in 'accounts' when presented in a user's
address bar.

Pay very great heed to the people advising a separate domain for user
generated names.

------
mxpt
Just to let you know that your feature section is really bad :( I was really
interested in knowing what you offer best, but I lost track of the ones I
already clicked and.. it's boring to click so much.

Sometimes a scrolling page just works :)

~~~
mikeseeh
yep, we are working on this …

------
shawabawa3
bunkat is right, a blacklist approach is doomed to fail.

Amusingly, you missed "www" off your blacklist. I just created an account to
test it. Luckily it hasn't hijacked your main site - but I also can't use my
account :)

~~~
mikeseeh
saw it ;-) and is fixed. just send you an email with the changed account name.

sometimes you can't see the wood for the trees …

~~~
jacquesm
ftp docs

------
edent
It may also be worth using a profanity filter - in multiple languages.

Or, depending on volume, having manual validation of names.

Do you really want porn.7sheep.net?

~~~
mikeseeh
this is what we currently do. we review account names and get in touch with
the users if necesary.

------
dutchbrit
May I ask why github is blacklisted - what if github wants to sign up? I think
git should be added to the blacklist however, maybe you got the 2 mixed up?

------
glomph
Why do users need their own subdomains at all?

