Re: [DNSOP] Public Suffix List

* Gervase Markham:

> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
> mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
> ad-tracking cookie for .co.uk and build up a cross-site profile of a
> particular user, perhaps augmented by information passed to them by one
> or more of the sites concerned. This is a privacy issue.

I'd love to see an official statement from the Mozilla Foundation that
cross-domain ad correlation is evil, and should be stopped by
technology.  Certainly this is not what you're trying to say here.

I guess the real issue is that by setting a cookie for co.uk, it's
possible to exploit session fixation vulnerabilities in web sites under
co.uk.  Unfortunately, the Public Suffix List web site is a bit unclear
in this regard.  It does not list a single protocol spec which requires
this sort of data.

Received on Wednesday, 11 June 2008 20:17:14 UTC