IETF Logo Mail Archive

Re: [DNSOP] Public Suffix List

Jeroen Massar <jeroen@unfix.org> Wed, 11 June 2008 13:09 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79DD93A699A; Wed, 11 Jun 2008 06:09:48 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 319873A6980 for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 06:09:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d-VOE5KBrlST for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 06:09:41 -0700 (PDT)
Received: from abaddon.unfix.org (abaddon.unfix.org [IPv6:2001:41e0:ff00:0:216:3eff:fe00:4]) by core3.amsl.com (Postfix) with ESMTP id BF52E3A68FD for <dnsop@ietf.org>; Wed, 11 Jun 2008 06:09:40 -0700 (PDT)
Received: from [IPv6:2001:620:20:1000:216:d3ff:fe25:14da] (spaghetti.zurich.ibm.com [IPv6:2001:620:20:1000:216:d3ff:fe25:14da]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 3E2BB401FF0; Wed, 11 Jun 2008 15:10:03 +0200 (CEST)
Message-ID: <484FCEBB.4050001@spaghetti.zurich.ibm.com>
Date: Wed, 11 Jun 2008 15:10:19 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080421 Lightning/0.8 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Gervase Markham <gerv@mozilla.org>
References: <484D52EC.1090608@mozilla.org> <C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org> <484D5B88.3090902@mozilla.org> <9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org> <484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org> <87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org> <20080611103103.GA25556@shareable.org> <484FC15E.8090804@mozilla.org> <484FC383.3080600@spaghetti.zurich.ibm.com> <484FC8E8.4090501@mozilla.org>
In-Reply-To: <484FC8E8.4090501@mozilla.org>
X-Enigmail-Version: 0.95.6
OpenPGP: id=333E7C23
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on abaddon.unfix.org
X-Virus-Status: Clean
Cc: dnsop@ietf.org, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org, Jelte Jansen <jelte@NLnetLabs.nl>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0870703214=="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

Gervase Markham wrote:
> Jeroen Massar wrote:
>> If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then
>> indeed that cookie gets sent to mybank.co.uk too. What harm does/can
>> this do? (Except that they might set a cookie identical of type to the
>> bank one and maybe auto-login to their bank account!?)
> 
> <sigh>
> 
> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
> mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
> ad-tracking cookie for .co.uk and build up a cross-site profile of a
> particular user, perhaps augmented by information passed to them by one
> or more of the sites concerned. This is a privacy issue. Therefore, they
> should not be permitted to set such cookies. The only way to do that,
> while continuing to allow foo.com to set cookies, is for the browser to
> know the difference between co.uk and foo.com.

Thus you are going to break the contract that mybank.co.uk has with 
adserver.co.uk? wow, now you are really getting into something...

That privacy issue is not a privacy issue, that is an issue with the 
bank in question which is compromising the privacy of its users. Solve 
the problem at the bank.

Greets,
  Jeroen


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email