> I have discovered what I beleive to be a flaw in the implementation > of cookies, that allows for possible security implications. > http://www.paradise.net.nz/~glineham/cookiemonster.html I particularly agree with the following text, taken from the URL I quoted above: It has been pointed out to me that the whole idea of counting dots to determine valid domain settings for cookies is a fundamental flaw in the specification. Consider my domain, for example: rodents.montreal.qc.ca. Any specification that allows any server not under rodents.montreal.qc.ca to set cookies to be sent to any server that *is* under that domain is broken. As I read it, the spec (if correctly implemented) would allow any .montreal.qc.ca server to set cookies to be sent to my web server (if I had one). That is, I can extend the statement that Any country that operates subclassification of its domains is susceptible. [...] Countries that do not subclassify their domains are not susceptible. by pointing out that places that have additional levels of subclassification (like .montreal.qc.ca, or .k12.XX.us) will be susceptible even if the spec is correctly implemented. The spec is also broken in that it hardwires in, for all time (or at least for the useful lifetime of extant browsers, which amounts to much the same thing in practice), the list of `generic' top-level domains. Creating a new generic TLD will break it. der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:19 PDT