Re: [DNSOP] Public Suffix List

Ted Lemon <Ted.Lemon@nominum.com> Wed, 11 June 2008 20:22 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8EE03A695F; Wed, 11 Jun 2008 13:22:39 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD9FD3A695F for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 13:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.392
X-Spam-Level:
X-Spam-Status: No, score=-6.392 tagged_above=-999 required=5 tests=[AWL=0.207, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvSwrLDXCaYA for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 13:22:37 -0700 (PDT)
Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165]) by core3.amsl.com (Postfix) with ESMTP id 415F03A6900 for <dnsop@ietf.org>; Wed, 11 Jun 2008 13:22:37 -0700 (PDT)
Received: from source ([64.89.228.228]) (using TLSv1) by exprod7ob106.postini.com ([64.18.6.12]) with SMTP; Wed, 11 Jun 2008 13:22:57 PDT
Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-ng.nominum.com (Postfix) with ESMTP id DE7CE56840; Wed, 11 Jun 2008 13:22:57 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from [10.0.1.103] (67.9.133.211) by webmail.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.1.240.5; Wed, 11 Jun 2008 13:22:57 -0700
Message-ID: <D72025EB-D67D-4F72-AD0C-8CA3890DAD32@nominum.com>
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <878wxbhgn0.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0 (Apple Message framework v924)
Date: Wed, 11 Jun 2008 15:22:55 -0500
References: <484D52EC.1090608@mozilla.org> <C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org> <484D5B88.3090902@mozilla.org> <9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org> <484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org> <87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org> <20080611103103.GA25556@shareable.org> <484FC15E.8090804@mozilla.org> <484FC383.3080600@spaghetti.zurich.ibm.com> <484FC8E8.4090501@mozilla.org> <878wxbhgn0.fsf@mid.deneb.enyo.de>
X-Mailer: Apple Mail (2.924)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

On Jun 11, 2008, at 3:16 PM, Florian Weimer wrote:
> I guess the real issue is that by setting a cookie for co.uk, it's
> possible to exploit session fixation vulnerabilities in web sites  
> under
> co.uk.  Unfortunately, the Public Suffix List web site is a bit  
> unclear
> in this regard.  It does not list a single protocol spec which  
> requires
> this sort of data.

It's kind of assumed that you would be aware of these issues, I  
guess.   Lots of web sites use cookies to associate a session with a  
particular user.   With cross-site cookie theft, a malicious web site  
can gain access to your session cookie even if it was protected by  
htFrom dnsop-bounces@ietf.org  Wed Jun 11 13:22:39 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id B8EE03A695F;
	Wed, 11 Jun 2008 13:22:39 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id BD9FD3A695F
	for <dnsop@core3.amsl.com>om>; Wed, 11 Jun 2008 13:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.392
X-Spam-Level: 
X-Spam-Status: No, score=-6.392 tagged_above=-999 required=5 tests=[AWL=0.207, 
	BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id TvSwrLDXCaYA for <dnsop@core3.amsl.com>om>;
	Wed, 11 Jun 2008 13:22:37 -0700 (PDT)
Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165])
	by core3.amsl.com (Postfix) with ESMTP id 415F03A6900
	for <dnsop@ietf.org>rg>; Wed, 11 Jun 2008 13:22:37 -0700 (PDT)
Received: from source ([64.89.228.228]) (using TLSv1) by
	exprod7ob106.postini.com ([64.18.6.12]) with SMTP; 
	Wed, 11 Jun 2008 13:22:57 PDT
Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(Client CN "webmail.nominum.com",
	Issuer "Go Daddy Secure Certification Authority" (verified OK))
	by shell-ng.nominum.com (Postfix) with ESMTP id DE7CE56840;
	Wed, 11 Jun 2008 13:22:57 -0700 (PDT)
	(envelope-from Ted.Lemon@nominum.com)
Received: from [10.0.1.103] (67.9.133.211) by webmail.nominum.com
	(64.89.228.50) with Microsoft SMTP Server (TLS) id 8.1.240.5;
	Wed, 11 Jun 2008 13:22:57 -0700
Message-ID: <D72025EB-D67D-4F72-AD0C-8CA3890DAD32@nominum.com>
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <878wxbhgn0.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0 (Apple Message framework v924)
Date: Wed, 11 Jun 2008 15:22:55 -0500
References: <484D52EC.1090608@mozilla.org>
	<C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org>
	<484D5B88.3090902@mozilla.org>
	<9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org>
	<484E52F4.5030402@mozilla.org>
	<20080610111454.GE25910@shareable.org>
	<87prqpum6n.fsf@mid.deneb.enyo.de>
	<484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl>
	<484F965A.1000709@mozilla.org>
	<20080611103103.GA25556@shareable.org>
	<484FC15E.8090804@mozilla.org>
	<484FC383.3080600@spaghetti.zurich.ibm.com>	<484FC8E8.4090501@mozilla.org>
	<878wxbhgn0.fsf@mid.deneb.enyo.de>
X-Mailer: Apple Mail (2.924)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

On Jun 11, 2008, at 3:16 PM, Florian Weimer wrote:
> I guess the real issue is that by setting a cookie for co.uk, it's
> possible to exploit session fixation vulnerabilities in web sites  
> under
> co.uk.  Unfortunately, the Public Suffix List web site is a bit  
> unclear
> in this regard.  It does not list a single protocol spec which  
> requires
> this sort of data.

It's kind of assumed that you would be aware of these issues, I  
guess.   Lots of web sites use cookies to associate a session with a  
particular user.   With cross-site cookie theft, a malicious web site  
can gain access to your session cookie even if it was protected by  
httptps encryption when you were talking to the legitimate site.

Of course there are ways to mitigate this risk, but the only knob the  
mozilla guys have to turn is preventing the cookie from being leaked  
in the first place.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


s encryption when you were talking to the legitimate site.

Of course there are ways to mitigate this risk, but the only knob the  
mozilla guys have to turn is preventing the cookie from being leaked  
in the first place.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop