Re: [DNSOP] Public Suffix List

Florian Weimer <fw@deneb.enyo.de> Wed, 11 June 2008 20:29 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB39D3A6881; Wed, 11 Jun 2008 13:29:59 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44B943A6800 for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 13:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.207
X-Spam-Level:
X-Spam-Status: No, score=-3.207 tagged_above=-999 required=5 tests=[AWL=-0.958, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNJeHu5+QlPN for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 13:29:58 -0700 (PDT)
Received: from mail.enyo.de (mail.enyo.de [IPv6:2001:14b0:202:1::a7]) by core3.amsl.com (Postfix) with ESMTP id 8BF023A69A2 for <dnsop@ietf.org>; Wed, 11 Jun 2008 13:29:55 -0700 (PDT)
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1K6WxX-0004hc-1p; Wed, 11 Jun 2008 22:30:19 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from <fw@deneb.enyo.de>) id 1K6WxW-000658-N7; Wed, 11 Jun 2008 22:30:18 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: Ted Lemon <Ted.Lemon@nominum.com>
References: <484D52EC.1090608@mozilla.org> <C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org> <484D5B88.3090902@mozilla.org> <9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org> <484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org> <87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org> <20080611103103.GA25556@shareable.org> <484FC15E.8090804@mozilla.org> <484FC383.3080600@spaghetti.zurich.ibm.com> <484FC8E8.4090501@mozilla.org> <878wxbhgn0.fsf@mid.deneb.enyo.de> <D72025EB-D67D-4F72-AD0C-8CA3890DAD32@nominum.com>
Date: Wed, 11 Jun 2008 22:30:18 +0200
In-Reply-To: <D72025EB-D67D-4F72-AD0C-8CA3890DAD32@nominum.com> (Ted Lemon's message of "Wed, 11 Jun 2008 15:22:55 -0500")
Message-ID: <871w33hfz9.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

* Ted Lemon:

> It's kind of assumed that you would be aware of these issues, I guess.

But hardly anybody seems to be.

> Lots of web sites use cookies to associate a session with a
> particular user.   With cross-site cookie theft, a malicious web site
> can gain access to your session cookie even if it was protected by
> https encryption when you were talking to the legitimate site.

Yes, but that's why cookies are associated with the host name of the
incoming request.  The cookie set operation controls which domains can
read the cookie.  No special data is required for that.

What's happening here is that a restriction is placed on the largest
possible subtree for which you can set a cookie.  Failure to do this
does not grant read access to arbitrary cookies in itself.  But as I
wrote, it might expose session fixation problems.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop