kctf.cloud needs to be on the PSL

google / kctf

kCTF is a Kubernetes-based infrastructure for CTF competitions. For documentation, see

https://google.github.io/kctf/

Apache License 2.0

657 stars 73 forks source link

kctf.cloud needs to be on the PSL #288

Open sroettger opened 3 years ago

sroettger commented 3 years ago

For two reasons:

web challenges could have unintended solutions
we will hit a rate limit of letsencrypt

sirdarckcat commented 3 years ago

I sent the PR. Interestingly, since some tasks require Cookie isolation and Same-Site-ness, it appears that this is now a hard requirement for security due to Spectre!

sroettger commented 3 years ago

For reference, pull request is here: https://github.com/publicsuffix/list/pull/1272

dnsguru commented 3 years ago

For reference, pull request is here: publicsuffix/list#1272

(I am one of the PSL volunteers)

Noticed Let's Encrypt limits mentioned above... best not to use PSL as workaround to that, but rather to coordinate this directly with Let's Encrypt, https://letsencrypt.org/docs/rate-limits/#a-id-overrides-a-overrides and that link is where we refer people to for that specific need.

sroettger commented 3 years ago

Ah, thank you for the link Jothan! That will help us with the letsencrypt problem, though the other part will still stand that the web challenges hosted under kctf.cloud will be same-site. So many web challenges will have unintended solutions, for example by using spectre to leak secrets (as in https://leaky.page)