IETF Logo Mail Archive

Re: [http-state] Ticket 3: Public Suffixes

Adam Barth <ietf@adambarth.com> Sat, 16 January 2010 18:19 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 577B93A695B for <http-state@core3.amsl.com>; Sat, 16 Jan 2010 10:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.934
X-Spam-Level:
X-Spam-Status: No, score=-1.934 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8zg4wwOam3O for <http-state@core3.amsl.com>; Sat, 16 Jan 2010 10:19:14 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id A14BD3A6955 for <http-state@ietf.org>; Sat, 16 Jan 2010 10:19:14 -0800 (PST)
Received: by pwi20 with SMTP id 20so1005531pwi.29 for <http-state@ietf.org>; Sat, 16 Jan 2010 10:19:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.4.17 with SMTP id 17mr2762179wfd.85.1263665949073; Sat, 16 Jan 2010 10:19:09 -0800 (PST)
In-Reply-To: <op.u6mioszyqrq7tp@acorna.invalid.invalid>
References: <7789133a1001160001h62d203b3w76e175ec22d55e6@mail.gmail.com> <op.u6mioszyqrq7tp@acorna.invalid.invalid>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 16 Jan 2010 10:18:48 -0800
Message-ID: <7789133a1001161018h4d70b5cal6edfa3978c478fe4@mail.gmail.com>
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 3: Public Suffixes
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2010 18:19:15 -0000

On Sat, Jan 16, 2010 at 3:39 AM, Yngve N. Pettersen (Developer Opera
Software ASA) <yngve@opera.com> wrote:
> Alternative 4: Use a DNS based heuristic by only allowing cookies set to
> domains that have an IP address defined. If there is no IP address, remove
> the domain attribute

One problem with this approach is that a number of major ISPs,
including COMCAST, return IP addresses for all non-existent domains.
The ISPs use these non-existent domains to show advertisements and
increase revenue.  Personally, I'd rather that they abstain from this
practice, but it demonstrates that this heuristic is somewhat fragile
for the security property we need.

> Alternative 5: (which require an extensive change of the cookie
> specification)

As Daniel Stenberg says, extensive changes to the spec are off the
table in phase one.  However, we should revisit this approach in phase
two.

Adam

v2.23.0 | Report a Bug | By Email