Re: [DNSOP] Public Suffix List

Jeroen Massar <jeroen@unfix.org> Wed, 11 June 2008 12:21 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15EBA3A68FD; Wed, 11 Jun 2008 05:21:53 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43ED03A6950 for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 05:21:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVu6v3JeIHhp for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 05:21:51 -0700 (PDT)
Received: from abaddon.unfix.org (abaddon.unfix.org [IPv6:2001:41e0:ff00:0:216:3eff:fe00:4]) by core3.amsl.com (Postfix) with ESMTP id 951453A6934 for <dnsop@ietf.org>; Wed, 11 Jun 2008 05:21:50 -0700 (PDT)
Received: from [IPv6:2001:620:20:1000:216:d3ff:fe25:14da] (spaghetti.zurich.ibm.com [IPv6:2001:620:20:1000:216:d3ff:fe25:14da]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 7C64A3D2166; Wed, 11 Jun 2008 14:22:12 +0200 (CEST)
Message-ID: <484FC383.3080600@spaghetti.zurich.ibm.com>
Date: Wed, 11 Jun 2008 14:22:27 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080421 Lightning/0.8 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Gervase Markham <gerv@mozilla.org>
References: <484D52EC.1090608@mozilla.org> <C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org> <484D5B88.3090902@mozilla.org> <9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org> <484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org> <87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org> <20080611103103.GA25556@shareable.org> <484FC15E.8090804@mozilla.org>
In-Reply-To: <484FC15E.8090804@mozilla.org>
X-Enigmail-Version: 0.95.6
OpenPGP: id=333E7C23
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on abaddon.unfix.org
X-Virus-Status: Clean
Cc: dnsop@ietf.org, Jelte Jansen <jelte@NLnetLabs.nl>, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0586645380=="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

Gervase Markham wrote:
[..]
> Cookies are set for a particular domain or domain suffix, and are sent
> to all sites with that domain suffix. So (under the current code)
> www.mybank.co.uk can set cookies for either www.mybank.co.uk (shared
> with foo.www.mybank.co.uk but not loginFrom dnsop-bounces@ietf.org  Wed Jun 11 05:21:53 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 15EBA3A68FD;
	Wed, 11 Jun 2008 05:21:53 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 43ED03A6950
	for <dnsop@core3.amsl.com>om>; Wed, 11 Jun 2008 05:21:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5
	tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id EVu6v3JeIHhp for <dnsop@core3.amsl.com>om>;
	Wed, 11 Jun 2008 05:21:51 -0700 (PDT)
Received: from abaddon.unfix.org (abaddon.unfix.org
	[IPv6:2001:41e0:ff00:0:216:3eff:fe00:4])
	by core3.amsl.com (Postfix) with ESMTP id 951453A6934
	for <dnsop@ietf.org>rg>; Wed, 11 Jun 2008 05:21:50 -0700 (PDT)
Received: from [IPv6:2001:620:20:1000:216:d3ff:fe25:14da]
	(spaghetti.zurich.ibm.com [IPv6:2001:620:20:1000:216:d3ff:fe25:14da])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested) (Authenticated sender: jeroen)
	by abaddon.unfix.org (Postfix) with ESMTPSA id 7C64A3D2166;
	Wed, 11 Jun 2008 14:22:12 +0200 (CEST)
Message-ID: <484FC383.3080600@spaghetti.zurich.ibm.com>
Date: Wed, 11 Jun 2008 14:22:27 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.8.1.14) Gecko/20080421 Lightning/0.8 Thunderbird/2.0.0.14
	Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Gervase Markham <gerv@mozilla.org>
References: <484D52EC.1090608@mozilla.org>	<C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org>	<484D5B88.3090902@mozilla.org>	<9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org>	<484E52F4.5030402@mozilla.org>	<20080610111454.GE25910@shareable.org>	<87prqpum6n.fsf@mid.deneb.enyo.de>	<484F8DB4.5030500@mozilla.org>
	<484F8F93.8020808@NLnetLabs.nl>	<484F965A.1000709@mozilla.org>	<20080611103103.GA25556@shareable.org>
	<484FC15E.8090804@mozilla.org>
In-Reply-To: <484FC15E.8090804@mozilla.org>
X-Enigmail-Version: 0.95.6
OpenPGP: id33E7C23
X-Virus-Scanned: ClamAV version 0.93,
	clamav-milter version 0.93 on abaddon.unfix.org
X-Virus-Status: Clean
Cc: dnsop@ietf.org, Jelte Jansen <jelte@NLnetLabs.nl>nl>,
	Jamie Lokier <jamie@shareable.org>rg>,
	David Conrad <drc@virtualized.org>rg>, ietf-http-wg@w3.org
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="=======86645380="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Gervase Markham wrote:
[..]
> Cookies are set for a particular domain or domain suffix, and are sent
> to all sites with that domain suffix. So (under the current code)
> www.mybank.co.uk can set cookies for either www.mybank.co.uk (shared
> with foo.www.mybank.co.uk but not log.mybank.co.uk), mybank.co.uk
> (shared with login.mybank.co.uk but not adserver.co.uk) or co.uk (shared
> with adserver.co.uk but not with myorg.org.uk).

With the real fix here simply being that mybank.co.uk only sets a cookie 
for mybank.co.uk and not for co.uk. The is thus a problem of the bank 
being stupid to set a cookie for co.uk.

If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then 
indeed that cookie gets sent to mybank.co.uk too. What harm does/can 
this do? (Except that they might set a cookie identical of type to the 
bank one and maybe auto-login to their bank account!?)

Do you have an example where you actually need that Public Suffix List?

Greets,
  Jeroen

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop