Re: [DNSOP] Public Suffix List

[Florian Weimer <fw@deneb.enyo.de>]

* Gervase Markham:

> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
> mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
> ad-tracking cookie for .co.uk and build up a cross-site profile of a
> particular user, perhaps augmented by information passed to them by one
> or more of the sites concerned. This is a privacy issue.

I'd love to see an official statement from the Mozilla Foundation that
cross-domain ad correlation is evil, and should be stopped by
technology.  Certainly this is not what you're trying to say here.

I guess the real issue is that by setting a cookie for co.uk, it's
possible to exploit session fixation vulnerabilities in web sites under
co.uk.  Unfortunately, the Public Suffix List web site is a bit unclear
in this regard.  It does not list a single protocol spec which requires
this sort of data.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https:From dnsop-bounces@ietf.org  Wed Jun 11 13:16:08 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 5CE983A689A;
	Wed, 11 Jun 2008 13:16:08 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 765243A689A
	for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 13:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.183
X-Spam-Level: 
X-Spam-Status: No, score=-3.183 tagged_above=-999 required=5
	tests=[AWL=-0.934, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BlKBX0qYxNPc for <dnsop@core3.amsl.com>;
	Wed, 11 Jun 2008 13:16:01 -0700 (PDT)
Received: from mail.enyo.de (mail.enyo.de [IPv6:2001:14b0:202:1::a7])
	by core3.amsl.com (Postfix) with ESMTP id 73B4D3A6878
	for <dnsop@ietf.org>; Wed, 11 Jun 2008 13:16:00 -0700 (PDT)
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de)
	by mail.enyo.de with esmtp id 1K6Wjm-0004VX-Lt;
	Wed, 11 Jun 2008 22:16:06 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.69)
	(envelope-from <fw@deneb.enyo.de>)
	id 1K6Wjj-0005zQ-Us; Wed, 11 Jun 2008 22:16:03 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: Gervase Markham <gerv@mozilla.org>
References: <484D52EC.1090608@mozilla.org>
	<C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org>
	<484D5B88.3090902@mozilla.org>
	<9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org>
	<484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org>
	<87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org>
	<484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org>
	<20080611103103.GA25556@shareable.org> <484FC15E.8090804@mozilla.org>
	<484FC383.3080600@spaghetti.zurich.ibm.com>
	<484FC8E8.4090501@mozilla.org>
Date: Wed, 11 Jun 2008 22:16:03 +0200
In-Reply-To: <484FC8E8.4090501@mozilla.org> (Gervase Markham's message of
	"Wed, 11 Jun 2008 13:45:28 +0100")
Message-ID: <878wxbhgn0.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Cc: dnsop@ietf.org, Jamie Lokier <jamie@shareable.org>,
	David Conrad <drc@virtualized.org>,
	Jelte Jansen <jelte@NLnetLabs.nl>, ietf-http-wg@w3.org
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

* Gervase Markham:

> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
> mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
> ad-tracking cookie for .co.uk and build up a cross-site profile of a
> particular user, perhaps augmented by information passed to them by one
> or more of the sites concerned. This is a privacy issue.

I'd love to see an official statement from the Mozilla Foundation that
cross-domain ad correlation is evil, and should be stopped by
technology.  Certainly this is not what you're trying to say here.

I guess the real issue is that by setting a cookie for co.uk, it's
possible to exploit session fixation vulnerabilities in web sites under
co.uk.  Unfortunately, the Public Suffix List web site is a bit unclear
in this regard.  It does not list a single protocol spec which requires
this sort of data.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
http//www.ietf.org/mailman/listinfo/dnsop


s://www.ietf.org/mailman/listinfo/dnsop