W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: [DNSOP] Public Suffix List

From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 11 Jun 2008 22:16:03 +0200
To: Gervase Markham <gerv@mozilla.org>
Cc: Jeroen Massar <jeroen@unfix.org>, dnsop@ietf.org, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org, Jelte Jansen <jelte@NLnetLabs.nl>
Message-ID: <878wxbhgn0.fsf@mid.deneb.enyo.de>

* Gervase Markham:

> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
> mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
> ad-tracking cookie for .co.uk and build up a cross-site profile of a
> particular user, perhaps augmented by information passed to them by one
> or more of the sites concerned. This is a privacy issue.

I'd love to see an official statement from the Mozilla Foundation that
cross-domain ad correlation is evil, and should be stopped by
technology.  Certainly this is not what you're trying to say here.

I guess the real issue is that by setting a cookie for co.uk, it's
possible to exploit session fixation vulnerabilities in web sites under
co.uk.  Unfortunately, the Public Suffix List web site is a bit unclear
in this regard.  It does not list a single protocol spec which requires
this sort of data.
Received on Wednesday, 11 June 2008 20:17:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:48 GMT