At the moment there is a minor attack/annoyance: suins is resolved before the base36-encoded object id.
This means that if i have a popular site at object id 0x1734be13843475711079adba370bc91271a405d845a617b0dfa9a8f78d42ecd6, with url ktl4zhss66jyd0uxgvo86il1zwf3c31exynd30viz0jmoc0d.blocksite.net , you can register ktl4zhss66jyd0uxgvo86il1zwf3c31exynd30viz0jmoc0d2.sui on suiNs and take control of my site. This is b/c the string ktl4zhss66jyd0uxgvo86il1zwf3c31exynd30viz0jmoc0d2 will be used to query suins first, and only if nothing is returned it is expanded to an object ID.
Reverting the order of these checks prevents this attack, and incurs a (small) latency penalty only if indeed the subdomain can be decoded to a valid object id
At the moment there is a minor attack/annoyance: suins is resolved before the base36-encoded object id. This means that if i have a popular site at object id
0x1734be13843475711079adba370bc91271a405d845a617b0dfa9a8f78d42ecd6, with urlktl4zhss66jyd0uxgvo86il1zwf3c31exynd30viz0jmoc0d.blocksite.net, you can registerktl4zhss66jyd0uxgvo86il1zwf3c31exynd30viz0jmoc0d2.suion suiNs and take control of my site. This is b/c the stringktl4zhss66jyd0uxgvo86il1zwf3c31exynd30viz0jmoc0d2will be used to query suins first, and only if nothing is returned it is expanded to an object ID.Reverting the order of these checks prevents this attack, and incurs a (small) latency penalty only if indeed the subdomain can be decoded to a valid object id