Given a safe domain, are subdirectories safe as well?

Let's suppose that the URL www.imgur.com is a safe domain and it's associated with an online image sharing community. Given that, a guy sent me a link to a subfolder of the previous "safe" domain, let's call it "www.imgur.com/a/subfoldername". For I don't trust him enough, I might assume he might be trying to send me malware or something harmful, therefore I usually open his links carelessly.

Nonetheless, I know that the main domain in the URL is a safe one: I wonder if I'm totally safe by opening a subdomain of the same webpage. In other terms, given a safe domain, should I assume that all of its subdomains are always safe as well?

franz1

Posted 2019-05-05T15:44:08.123

Reputation: 385

12The premise that a domain can be safe is problematic. What is meant by "safe"? In terms of network security, safe is something that is largely measured in degrees. – I say Reinstate Monica – 2019-05-05T16:33:02.650

Answers

A domain might be "safe", but its contents might be unsafe.

Example: Is google.com safe? The answer would be "Certainly", but actually Google is one of the world's main vectors of infection. This is because it serves ads, and hackers do manage to legally buy ad-space and serve ads that infect computers.

More: Images, videos and documents that you find on Google might be crafted to infect your computer, while you are looking at them online or offline after downloading them. If you ever need to disable some protections for a certain site, do so carefully.

Of course Google would ban such content whenever discovered, but this might be too late for some users.

My answer: There is no safe domain, or rather a sub-domain would be as safe as the domain, which is not at all.

You should not count on a domain being safe. Only the protections you have put in place will protect you. That, and your common-sense, in not authorizing doubtful sites too much access to your computer, is your safety.

harrymc

Posted 2019-05-05T15:44:08.123

Reputation: 306 093

You cannot know that by just looking at the URL. You can make a good guess if you already know how the website works and what it offers.

What makes a domain "safe" is how its owner manages it. Whether you're asking about subdomains (www.) or about subpaths (/a/subfoldername), they are not somehow special or different from the main domain or root path: they're still under the owner's control in the same way, unless the owner gives some control to others. You need to know whether any particular website's owners offer any features that would allow third-party HTML code, or JavaScript more specifically.

For example, website A might allow users to host their own HTML on subdomains (e.g. the way GitHub Pages used to work – github.com was safe but <user>.github.com was not), and website B might likewise allow users to host their own HTML on subpaths. Website C might technically allow safe stuff only, but it might have a security hole in a comment form. Website D might allow no third-party content at all, but end up being hacked and have malicious code inserted directly on their main domain.

user1686

Posted 2019-05-05T15:44:08.123

Reputation: 283 655

No

A classic example is a hacked WordPress site.

WordPress is not inherently more or less safe than any other content management system, but simply due to sheer numbers (on the order of 30% of all public web sites!) and the prevalence of simple usernames & passwords, it is a significant target.

In addition, WordPress has a particular vulnerability in that it is trivial, provided you can get into a WordPress admin page with enough privileges to edit a page or post, to create a page serving malicious code without the site owner being aware that the site has been hacked. Not only that, but the page (or post) might be hidden (based on default settings) so far down in the list of pages (or posts) that the owner might even log in to the WordPress admin page and not notice anything unusual at all. The page (or post) can even be "hidden" in a way that it is not possible to navigate to it from another page of the site but only accessible by a direct URL - the URL that is being sent as part of a spam campaign. Sometimes the site owner only finds out if they get reports of problems or if the site starts to be blocked due to hosting of known malicious software.

manassehkatz-Moving 2 Codidact

Posted 2019-05-05T15:44:08.123

Reputation: 431