Comment 92 for bug 44062

(In reply to comment #85)
> It simply is not practical to say "well, they should all be on one hostname."
> Look again. That's us.f802 - knowing Yahoo!, it's not impossible that they
> have 802+ mail servers clustering their users' mail accounts. Different
> physical machines, maybe even in different data centers at times.

If you need load balancing, please read about Round Robin DNS (for multiple datacenters) and about IPVS (single datacenter). In case of SSL multiple machines with one domain name even can share one certificate.

> Sorry, but it's used for everything. I'm not saying it's trustworthy, but if
> your A record is wrong it won't help you much to have other records correct.
> If I am able to poison your A record for "dnsalias.net", then I can get to the
> cookies for it regardless.

In case of SSL only genuine server should accept cookie. But what is now? Please read "Cross Security Boundary Cookie Injection" on this page.

> Security is nice, but the boat will sink and everyone will move back to IE if
> users are completely ignored in its name - when other, better ways are possible
> where everyone can win.

Now most IT people only think about how to create something faster, but not better or securer. But I hope they will change their mind...