- From: Koen Holtman <koen@win.tue.nl>
- Date: Sun, 10 Dec 1995 22:13:51 +0100 (MET)
- To: Dave Kristol <dmk@allegra.att.com>
- Cc: luotonen@netscape.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Dave Kristol: > >Ari Luotonen <luotonen@netscape.com> wrote: >>Furthermore, a shortcoming in the state-info spec as opposed to the >>Cookie spec is that state identifiers cannot be shared between hosts >>(unless yet some more infrastructure is laid down on the server >>cluster side). Not all systems are self-contained in a single host, >>and therefore there is value in being able to share cookies accross >>different hosts. > >This is definitely true. It is also definitely true that the `domain=' cookie feature as proposed by Netscape has some serious worst case privacy problems. A discussion of this, using co.uk domains as an example I believe, was posted a while ago. I think a middle ground can be found here: we could either make use of large domains (like co.uk) more visible to the user, or strengthen the restrictions on the `domain=' header from the current | Only hosts within the specified domain can set a cookie for a | domain and domains must have at least two (2) periods in them | to prevent domains of the form: ".com" and ".edu". to something like A host can only set cookies for a domain DOMAIN_NAME if its host name has the form HOST.DOMAIN_NAME where HOST may not contain any periods. Also, domains must have at least two (2) periods in them to prevent domains of the form: ".com" and ".edu". When writing the above, I went over the domain restrictions in the cookie proposal again, and it occurs to me that there is also a _security_ problem involved. Take for example a shopping server named www.acme.co.uk that uses cookies like CUSTOMER=WILE_E_COYOTE to identify customers. Now, a malicious site www.roadrunner.co.uk could send out the following header in its responses: Set-Cookie: CUSTOMER=BILL_GATES; path=/; domain=co.uk; expires=Wednesday, 09-Nov-99 23:12:40 GMT If WILE_E_COYOTE first goes to www.roadrunner.co.uk and then to www.acme.co.uk, the acme server will get Cookie: CUSTOMER=BILL_GATES without any hint of the fact that this cookie was not set by the acme server itself. This will presumably drastically reduce WILE_E_COYOTE's chances of getting acme to send him a ROCKET_LAUNCHER_0001. And if the real BILL_GATES happens to be using acme.co.uk at the same time, lots of additional interesting things will happen. So basically, with this domain feature, you cannot trust any cookie value you get. A malicious site could flood your server with 500 users all called BILL_GATES. The problem gets even bigger if you want to use cookies as anonymous, but unique, user identifiers. Hm. It seems that to completely solve this cookie spoofing problem, even my strengthening for the domain restriction above will not be sufficient. There are a number of ISPs that offer host names like companya.isp.net and companyb.isp.net to competing companies. Maybe the hostname of the host that last changed the cookie will have to be sent along with any Cookie that is set for a domain? [...] >[Sorry, Larry M.] Yes, I agree that Cookies are used and work for >real-life applications. For the record, Lou Montulli recently sent me mail saying that he was told that the number of sites using cookies is in the hundreds. > I welcome the possibility to improve them. Many >of us await a more detailed specification of the current Cookie mechanism >so we can do just that. Count me among the waiting. Netscape has been very silent about cookies on this list in the past. Am I the first one to think up the above security problem, or have things like this already been found and solved within Netscape without us knowing about it? >Dave Kristol Koen.
Received on Sunday, 10 December 1995 13:19:21 UTC