On Jun 11, 2008, at 3:16 PM, Florian Weimer wrote: > I guess the real issue is that by setting a cookie for co.uk, it's > possible to exploit session fixation vulnerabilities in web sites > under > co.uk. Unfortunately, the Public Suffix List web site is a bit > unclear > in this regard. It does not list a single protocol spec which > requires > this sort of data.
It's kind of assumed that you would be aware of these issues, I guess. Lots of web sites use cookies to associate a session with a particular user. With cross-site cookie theft, a malicious web site can gain access to your session cookie even if it was protected by https encryption when you were talking to the legitimate site. Of course there are ways to mitigate this risk, but the only knob the mozilla guys have to turn is preventing the cookie from being leaked in the first place. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
