Re: Security Flaw in Cookies Implementation

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> I have discovered what I beleive to be a flaw in the implementation
> of cookies, that allows for possible security implications.
> http://www.paradise.net.nz/~glineham/cookiemonster.html

I particularly agree with the following text, taken from the URL I
quoted above:

        It has been pointed out to me that the whole idea of counting
        dots to determine valid domain settings for cookies is a
        fundamental flaw in the specification.

Consider my domain, for example: rodents.montreal.qc.ca.  Any
specification that allows any server not under rodents.montreal.qc.ca
to set cookies to be sent to any server that *is* under that domain is
broken.  As I read it, the spec (if correctly implemented) would allow
any .montreal.qc.ca server to set cookies to be sent to my web server
(if I had one).  That is, I can extend the statement that

        Any country that operates subclassification of its domains is
        susceptible.  [...]  Countries that do not subclassify their
        domains are not susceptible.

by pointing out that places that have additional levels of
subclassification (like .montreal.qc.ca, or .k12.XX.us) will be
susceptible even if the spec is correctly implemented.

The spec is also broken in that it hardwires in, for all time (or at
least for the useful lifetime of extant browsers, which amounts to much
the same thing in practice), the list of `generic' top-level domains.
Creating a new generic TLD will break it.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B