Mozilla’s “Public Suffix List”
Since web cookies were invented by Netscape all those years ago, they have had one large flaw which has gone unfixed for years on end. Now, you might think, if this flaw is that large, then why hasn’t it been fixed before? Well, it’s a story all about numerous RFCs, cookie implementations and the mess that is domain registration rules.
Basically, each domain registry gets to decide how people can register domain names under their top-level domain. Some have chosen to allow direct registration of second-level domains (e.g. .be for Belgium) while some have decided to only allow third-level registrations (e.g. .co.uk for the UK). What this means is that there is no algorithmic method of working out which top-level domains allow second-level registrations, which only allow third-level and which allow a combination of both. While this may not sound too important, it has an important side effect for cookie setting.
What it means is that the web browser cannot effectively decide at which level cookies are allowed to be set. Therefore, the rule followed is that no cookies can be set for top-level domains (such as .com). However, this means that people can actually set cookies for second-level domains where they shouldn’t be able to (such as .co.uk). PayPal actually does this, and it means that its cookie gets sent by the browser to every single .co.uk website. This is, of course, a major breach of security, but one which has been difficult to plug for a long time.
Now though, Mozilla have come up with a method of deciding where cookies can and cannot be set. It is called the public suffix list, and it’s basically a text database of every single top-level domain and at which level cookies can be set. Checking against this database will allow the browser to decide whether to allow a cookie or block it.
I am one of the volunteers currently working on this project, and hopefully with the co-operation of the registries, information in cookies will soon become that little bit more secure. Mozilla also hopes to distribute this file to other browser manufacturers, to allow them to secure their cookie handling as well, as a service to the public.