We already have a /.well-known/apple-developer-merchantid-domain-association.txt file under our domain which is used to verify our domain to Apple in relation to a checkout.com Apple Pay integration. Now we wish to have a completely independent Apple Pay integration (i.e. a different Apple merchant) using Adyen, operating under the same domain. This means we need to verify that too, by hosting a different /.well-known/apple-developer-merchantid-domain-association.txt... how can this be done while making sure the existing checkout.com integration doesn't lose its verification?
I was hoping maybe Apple includes some kind of header in the request signifying which merchant ID it's verifying, and based off of that we could dynamically change what we present? But I couldn't find anywhere detailing the exact process that goes on.
I've found lots of threads on the Apple developer forums about this, but none with a conclusive answer:
https://developer.apple.com/forums/thread/718160
https://developer.apple.com/forums/thread/118725
https://developer.apple.com/forums/thread/695538
Only the last one provides any kind of answer, which doesn't feel particularly robust as it seems like a big assumption that once it's verified Apple will never check again, an assumption that doesn't seem to be documented anywhere?
Are there any other possible solutions here?
Domain Generation Algorithms(DGAs) are used in malware to generate a large number of domain names that can be used in communications to the malware’s command and control servers
For example, an infected computer could create thousands of domain names such as: www.(gibberish).com and would attempt to contact a portion of these with the purpose of receiving an update or commands. - Wikipedia
But my question is we need to buy and register a domain name before we want to use. Then how hacker can generate 10 Thousand of domain name ? and use them ?
Thanks.
Consider this.
The malware infects many devices across the globe, and needs to establish communication with the malware controller after infection.
If this address/domain is hardcoded in the malware, it can be easily found and blocked.
For this reason and many others, malware make use of DGA.
DGAs use some sort of seed, for example, today's date.
Using this, and some operations, they come up with a few or thousands of domains in a day.
Now, the hacker/malware author does not have to register all those domains.
The malware will just go on contacting each possible domain to look for commands.
They have to register only one of those millions of possible domains.
When the infected device contacts that domain, the hacker/malware author now has control over that malware, and can now send it commands.
It has been found that authors of Dyre malware had registered some domains 2 years in advance, some authors register domains just a couple of days or even couple of hours before the malware starts making contact.
Bottomline, the malware may generate thousands of queries, but in most cases its only looking for one successful connection, or one registered domain.
I want to point mysite.com to myapplication.herokuapp.com
Searched hard and was speaking with hostgator support, they say - it is impossible, heroku is not supporting A records and CNAME are not able to point from naked domain.
You can do it with A records…but Heroku really doesn't want you to, and with some good reasons. One thing you can do is run
$ host myapplication.herokuapp.com
and find out what IP that points to, and then create an A record pointing to that IP. But this is very brittle: if Heroku changes that IP, then your domain won't work until you update your A record. This method will probably break at some point, so you shouldn't do it, even though you technically can.
Luckily, there are solutions. Heroku outlines them in their documentation for custom domains, particularly in their documentation for root domains. The best one is to use a DNS provider that supports "ANAME" or "ALIAS" records, which are like CNAME records in that they point to another domain (rather than IP), but can be used for root domains. DNS doesn't natively have such support, so these are a bit of a hack, and are only supported by a few providers, namely DNSimple and DNS Made Easy. This solution is the best, most robust solution.
I use DNSimple and have found them to be very reliable and excellent to work with.
This question was already asked and answered here: https://stackoverflow.com/a/16041655/758334
I can vouch for dnsimple. There was a number of reasons why I switched to them, but their support for ALIAS records to make pointing the apex domain to hosted cloud apps was a big one for me.
I'm trying to understand how WHOIS works. I know there are third-parties and Gems that abstract this functionality, but I want to have some basic understanding of what goes on. Thus, I'm interested in how to do this in the most direct manner using only standard Ruby libraries and going straight to the direct source. As a test use case, I'd like to be able to pull the 10 most recent .COM domains registered which would give me a model to understand how to query for a list of all the domain names registered in a given time period on a given TLD. It is my understanding that IANA would point me to Verisign for a .COM query, so, if that is correct and I should be querying Versign, what do I ask Verisign and how would I execute this query in Ruby? As well, what documentation or reference could I have used to figure this out myself (I ask because I had trouble finding any). Thanks.
Normally, you can't know the last N domains created for a specific .TLD unless the registry authority for that specific TLD provides you access to this information.
And AFAIK, this is a feature that no registry currently provide.
Some registries gives the ability to download a list of all registered domains for a TLD to some authorized partners. This feature is normally very expensive and useful only if you need to know at any time what and how many domains exist for a specific TLD.
Keep in mind this authorization is really expensive and it must be approved by the registry, given that the TLD you want to monitor belongs to a registry that supports this feature.
You cited Verisign. Verisign provides a TLD ZONE FILE ACCESS PROGRAM, but this is not something you have access for free through their public WHOIS interface.
Update: this question is specifically about protecting (encipher / obfuscate) the content client side vs. doing it before transmission from the server. What are the pros / cons on going in an approach like itune's one - in which the files aren't ciphered / obfuscated before transmission.
As I added in my note in the original question, there are contracts in place that we need to comply to (as its the case for most services that implement drm). We push for drm free, and most content providers deals are on it, but that doesn't free us of obligations already in place.
I recently read some information regarding how itunes / fairplay approaches drm, and didn't expect to see the server actually serves the files without any protection.
The quote in this answer seems to capture the spirit of the issue.
The goal should simply be to "keep
honest people honest". If we go
further than this, only two things
happen:
We fight a battle we cannot win. Those who want to cheat will succeed.
We hurt the honest users of our product by making it more difficult to use.
I don't see any impact on the honest users in here, files would be tied to the user - regardless if this happens client or server side. This does gives another chance to those in 1.
An extra bit of info: client environment is adobe air, multiple content types involved (music, video, flash apps, images).
So, is it reasonable to do like itune's fairplay and protect the media client side.
Note: I think unbreakable DRM is an unsolvable problem and as most looking for an answer to this, the need for it relates to it already being in a contract with content providers ... in the likes of reasonable best effort.
I think you might be missing something here. Users hate, hate, hate, HATE DRM. That's why no media company ever gets any traction when they try to use it.
The kicker here is that the contract says "reasonable best effort", and I haven't the faintest idea of what that will mean in a court of law.
What you want to do is make your client happy with the DRM you put on. I don't know what your client thinks DRM is, can do, costs in resources, or if your client is actually aware that DRM can be really annoying. You would have to answer that. You can try to educate the client, but that could be seen as trying to explain away substandard work.
If the client is not happy, the next fallback position is to get paid without litigation, and for that to happen, the contract has to be reasonably clear. Unfortunately, "reasonable best effort" isn't clear, so you might wind up in court. You may be able to renegotiate parts of the contract in the client's favor, or you may not.
If all else fails, you hope to win the court case.
I am not a lawyer, and this is not legal advice. I do see this as more of a question of expectations and possible legal interpretation than a technical question. I don't think we can help you here. You should consult with a lawyer who specializes in this sort of thing, and I don't even know what speciality to recommend. If you're in the US, call your local Bar Association and ask for a referral.
I don't see any impact on the honest users in here, files would be tied to the user - regardless if this happens client or server side. This does gives another chance to those in 1.
Files being tied to the user requires some method of verifying that there is a user. What happens when your verification server goes down (or is discontinued, as Wal-Mart did)?
There is no level of DRM that doesn't affect at least some "honest users".
Data can be copied
As long as client hardware, standalone, can not distinguish between a "good" and a "bad" copy, you will end up limiting all general copies, and copy mechanisms. Most DRM companies deal with this fact by a telling me how much this technology sets me free. Almost as if people would start to believe when they hear the same thing often enough...
Code can't be protected on the client. Protecting code on the server is a largely solved problem. Protecting code on the client isn't. All current approaches come with stingy restrictions.
Impact works in subtle ways. At the very least, you have the additional cost of implementing client-side-DRM (and all follow-up cost, including the horde of "DMCA"-shouting lawyer gorillas) It is hard to prove that you will offset this cost with the increased revenue.
It's not just about code and crypto. Once you implement client-side DRM, you unleash a chain of events in Marketing, Public Relations and Legal. A long as they don't stop to alienate users, you don't need to bother.
To answer the question "is it reasonable", you have to be clear when you use the word "protect" what you're trying to protect against...
For example, are you trying to:
authorized users from using their downloaded content via your app under certain circumstances (e.g. rental period expiry, copied to a different computer, etc)?
authorized users from using their downloaded content via any app under certain circumstances (e.g. rental period expiry, copied to a different computer, etc)?
unauthorized users from using content received from authorized users via your app?
unauthorized users from using content received from authorized users via any app?
known users from accessing unpurchased/unauthorized content from the media library on your server via your app?
known users from accessing unpurchased/unauthorized content from the media library on your server via any app?
unknown users from accessing the media library on your server via your app?
unknown users from accessing the media library on your server via any app?
etc...
"Any app" in the above can include things like:
other player programs designed to interoperate/cooperate with your site (e.g. for flickr)
programs designed to convert content to other formats, possibly non-DRM formats
hostile programs designed to
From the article you linked, you can start to see some of the possible limitations of applying the DRM client-side...
The third, originally used in PyMusique, a Linux client for the iTunes Store, pretends to be iTunes. It requested songs from Apple's servers and then downloaded the purchased songs without locking them, as iTunes would.
The fourth, used in FairKeys, also pretends to be iTunes; it requests a user's keys from Apple's servers and then uses these keys to unlock existing purchased songs.
Neither of these approaches required breaking the DRM being applied, or even hacking any of the products involved; they could be done simply by passively observing the protocols involved, and then imitating them.
So the question becomes: are you trying to protect against these kinds of attack?
If yes, then client-applied DRM is not reasonable.
If no (for example, you're only concerned about people using your app, like Apple/iTunes does), then it might be.
(repeat this process for every situation you can think of. If the adig nswer is always either "client-applied DRM will protect me" or "I'm not trying to protect against this situation", then using client-applied DRM is resonable.)
Note that for the last four of my examples, while DRM would protect against those situations as a side-effect, it's not the best place to enforce those restrictions. Those kinds of restrictions are best applied on the server in the login/authorization process.
If the server serves the content without protection, it's because the encryption is per-client.
That being said, wireshark will foil your best-laid plans.
Encryption alone is usually just as good as sending a boolean telling you if you're allowed to use the content, since the bypass is usually just changing the input/output to one encryption API call...
You want to use heavy binary obfuscation on the client side if you want the protection to literally hold for more than 5 minutes. Using decryption on the client side, make sure the data cannot be replayed and that the only way to bypass the system is to reverse engineer the entire binary protection scheme. Properly done, this will stop all the kids.
On another note, if this is a product to be run on an operating system, don't use processor specific or operating system specific anomalies such as the Windows PEB/TEB/syscalls and processor bugs, those will only make the program even less portable than DRM already is.
Oh and to answer the question title: No. It's a waste of time and money, and will make your product not work on my hardened Linux system.