W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: [DNSOP] Public Suffix List

From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 10 Jun 2008 21:05:56 +0200
To: Gervase Markham <gerv@mozilla.org>
Cc: Wes Hardaker <wjhns1@hardakers.net>, dnsop@ietf.org, ietf-http-wg@w3.org
Message-ID: <87abhtw1nv.fsf@mid.deneb.enyo.de>

* Gervase Markham:

> If www.flirble.co.zz and www.widget.co.zz wished to conspire to track
> users across the two sites, they would simply both say that they are
> happy to accept co.zz cookies.

Right now, they're sharing that bit of information through one of
Google's web bug services.  Cross-domain cookies would at least provide
some level of transparency.

So this argument is a bit questionable.

> I am not particularly interested in a long discussion about whether we
> need this data. Please be assured that we need it. I am, on the other
> hand, open to suggestions about better ways to obtain it.

You need some sort of out-of-band service.  The information you are
looking for is not encoded in DNS.  Whether it's necessary to provide
automatic, non-code updates of the out-of-band data is a difficult
question.  However, this looks somewhat like the IP bogon prefixes list,
where hard-coding that ever-changing part into router configurations
turned out to be a big mistake.

For the DNS folks: The web security model requires that www.example.$TLD
and login.example.$TLD (where $TLD may contain multiple labels) can
share cookies (and probably HTTP requests, but I don't do that AJAX
stuff).  This must work by default, without explicit marking by the web
site operator, or tons of deployed applications will break.  At the same
time, it should not be possible to set cross-domain cookies (that is, a
cookie for login.example.$TLD by serving a HTTP request for
login.otherexample.$TLD).  Well-written web applications should be
immune to that, but lots of them apparently aren't.

This is the status quo.  Javascript is constantly enhanced with database
and stuff like that.  As a result, you aren't just protecting mere
cookies, but much more.  Obviously, this approach is not sound.  But
even with those later changes, some means to divine administrative
boundaries from DNS names are required for plain cookie management.
Received on Tuesday, 10 June 2008 19:06:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:48 GMT