Many missing URLs in KB article about network endpoints
Hi Adobe,
There are many URLs missing in the KB article about Network Endpoints (https://helpx.adobe.com/enterprise/kb/network-endpoints.html). I’m not just talking about optional URLs but also essential URLs which affect the look & feel of your products - means they affect the real usability and product experience :( Moreover there are general inconsistencies. All in all this makes the implementation for IT admins very tedious.
Some examples:
- If the URL "d3awf6rem6b5na.cloudfront.net" is blocked by firewall/proxy, the icons of plugins in the "Creative Cloud desktop app > Stock & Marketplace tab > Plugins" won't get displayed.
--> However, this essential URL is missing in your detailed "Downloadable allowlist"!
- If the URL "adobe-3di-substance-source.s3.us-west-2.amazonaws.com" is blocked by firewall/proxy, 3D Assets in the "Creative Cloud desktop app > Stock & Marketplace tab > 3D Assets" cannot be downloaded.
--> However, this essential URL is missing in your detailed "Downloadable allowlist"!
- If the URL "cpf-temp-repo-ew1-prod.s3.eu-west-1.amazonaws.com” is blocked by firewall/proxy, the export/download as PDF will fail in Adobe Express.
--> However, this essential URL is missing in your detailed "Downloadable allowlist"!
- If the URLs “api.echosign.com” and “adobe.na1.adobesign.com” are blocked by firewall/proxy, the Adobe Sign features won’t work.
--> However, these essential URLs are missing in your detailed "Downloadable allowlist"!
- If the URLs “cdn.substance3d.com” and “source-api.substance3d.com” are blocked by firewall/proxy, Adobe Substance 3D features won’t work.
--> However, these essential URLs are missing in your detailed "Downloadable allowlist"!
These are just 5 examples of my findings. There are many more. As Adobe is unfortunately using a huge URL jungle, I do not know for each blocked URL what the consequences are. However, the allegedly complete granular allowlist ("Downloadable allowlist") is missing a lot of URLs - not just the examples above.
Below you can find a list containing a huge amount of missing URLs. Imho those should be all included in the "Downloadable allowlist" and other sections of the knowledge base article as well:
********************************************
ADOBE owned URLs/services
********************************************
arks-client.adobe.com
feature-config.fonts.adobe.com
cc-embed.adobe.com
quick-actions.express.adobe.com
auth-light.identity.adobe.com
commerce.adobe.com
id.adobe.com
jil.adobe.com
search-prod.creativecloud.adobe.com
aepxlg.adobe.com
learnplaylistservice.adobe.com
acrobat.adobe.com
acroipm2.adobe.com
documents.adobe.com
geo-dc.adobe.com
concept.adobe.com
service.account.adobe.com
concept.adobe.com
api.tv.adobe.com
idg.adobe.com
addons.adobe.com
developer.adobe.com
green-server.messaging.adobe.com
abp-profile-service.adobe.io
stock-graphql-federation-router.adobe.io
lmt-g11n.adobe.io
rnr.adobe.io
bps-il.adobe.io
orders.adobe.io
hz-telemetry-next.adobe.io
ffc-addon.adobe.io
aem-discovery.adobe.io
spark-search.adobe.io
hz-app-attribute-store.adobe.io
sensei-irl1.adobe.io
senseicore-ew1.adobe.io
ccassetreview.adobe.io
cc-api-data-stage.adobe.io
fire-fly.adobe.io
learnplaylistservice.adobe.io
adobesearch-atc.adobe.io
hbc.adobe.io
bks.adobe.io
firefly-client-service-prod-va6.adobe.io
les.adobe.io
uss-express-aggregator-va6.adobe.io
utut-service.adobe.io
dcdiscovery.adobe.io
dc-genai-access-provisioning-api.adobe.io
firefly-clio-imaging-preview.adobe.io
bks-epv8516.adobe.io
community-hubs.adobe.io
image-v5.ff.adobe.io
bks-epo8512.adobe.io
bks-epo8552.adobe.io
ccx-melville.adobe.io
adobesearch-sec-uss.adobe.io
acp-aep-cs-blobstore-prod-irl1-data.adobe.io
adobesearch-lr.adobe.io
adp.adobe.io
console.adobe.io
runtime.adobe.io
webhooks.adobe.io
dcs.adobedc.net
adobecorp.data.adobedc.net
ffc-was-assets.adobecces.com
cdn.substance3d.com
source-api.substance3d.com
ss-prod-ew1-ns.aws.adobess.com
www.photoshop.com
api.echosign.com
adobe.na1.adobesign.com
www.behance.net
dd.astockcdn.net
animations.astockcdn.net
animations.astockcdn.net
autocomplete.fotolia.com
files.acrobat.com
send-asr.acrobat.com
dc-api-v2.adobecontent.io
*.wxp.adobe-addons.com
adobe-addons.com
cdn.experience.adobe.net
exc-unifiedcontent.experience.adobe.net
.adobeio-static.net
.adobeioruntime.net
adobe-runtime.com
********************************************
3rd party owned URLs/services
********************************************
branch.io
cdn.branch.io
cdn2.branch.io
api2.branch.io
d1hmet3ucsy3j0.cloudfront.net
d3awf6rem6b5na.cloudfront.net
du0msnodjsioe.cloudfront.net
d1swly8pgrbhu5.cloudfront.net
d3d51sjda1sdc4.cloudfront.net
d2m2ps3wmvs8c2.cloudfront.net
d1hmet3ucsy3j0.cloudfront.net
d1pegtyqp37ouy.cloudfront.net
d2txqegjuzimaf.cloudfront.net
d2o5idwacg3gyw.cloudfront.net
d6rak4b14t5gp.cloudfront.net
d1v1v6qmrpqka4.cloudfront.net
adobe-3di-substance-source.s3.us-west-2.amazonaws.com
stock-apex-images-prod-ew1.s3.eu-west-1.amazonaws.com
cpf-temp-repo-ew1-prod.s3.eu-west-1.amazonaws.com
colligo-text-to-design-assets-prod.s3-accelerate.amazonaws.com
8a81eebba889.cdn4.forter.com
cdn123.forter.com
cdn3.forter.com
d76acf47a2394dfdb99bd930225f242e-8a81eebba889.cdn.forter.com
cdn0.forter.com
app.link
rum.hlx.page
raw.githubusercontent.com/c2pa-org/
verify.contentauthenticity.org/trust/
o1383653.ingest.us.sentry.io
zn1ldep1rtdg6qxl8-adobe.siteintercept.qualtrics.com
platform.cloud.coveo.com
web-sdk.aptrinsic.com
widget.uservoice.com
To be continued...
Apart from that, Adobe's "Downloadable allowlist" contains many URLs which are very probably deprecated or in the meantime maybe even malicious, e.g. (ftp.)yourdomain.com:
https://www.virustotal.com/gui/domain/yourdomain.com
Another inconsistency:
Apart from the fact that many URLs are missing in the "Downloadable allowlist", it also contains some very general wildcard domains, which should be only included in the separate KB section "The minimal allowlist" but not in the very granular "Downloadable allowlist". Two examples:
- Example 1
Countless granular/specific URLs such as:
lcs-ulecs.adobe.io
audio-video-api.adobe.io
livecreate-ew1.adobe.io
…
General wildcard domain:
*.adobe.io
If you choose the granular/specific approach and implement the exact URLs on the firewall, it makes no sense to also implement the general wildcard domain, as it will allow everything (no matter what – as long as it ends with ".adobe.io") .
Therefore, naming the wildcard domain "*.adobe.io" in this granular "downloadable allowlist" makes no sense at all.
-
Example 2
Countless granular/specific URLs such as:
t3.ftcdn.net
t4.ftcdn.net
as1.ftcdn.net
as.ftcdn.net
…
General wildcard domain:
*. ftcdn.netIf you choose the granular/specific approach and implement the exact URLs on the firewall, it makes no sense to also implement the general wildcard domain, as it will allow everything (no matter what – as long as it ends with ".ftcdn.net") .
Therefore, naming the wildcard domain "*.ftcdn.net" in this granular "downloadable allowlist" makes no sense at all.
One more severe inconsistency:
Many wildcard domains are missing from the section “The minimal allowlist”. Either all wildcard domains used by Adobe products should be listed there, OR at least those that are required for the actual functionality of your products.
Regardless of Adobe's approach: the KB entry unfortunately lacks some essential wildcard domains that are even essential for the proper functioning of your products, such as:
*. substance3d.com
*. echosign.com
* .adobesign.com
*. acrobat.com
*. adobe-addons.com
*. adobe.net
*. forter.com
Although I appreciate Adobe’s extensive documentation, it is worthless if it is fundamentally wrong.
AdChoices