Feeds

That UK.gov Firefox cookie leakage snafu explained

Cockup, not conspiracy

The Power of One eBook: Top reasons to choose HP BladeSystem

If you've used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.

Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0's new domain-conscious security behaviour, only the gov.uk portion is shown in bold type.

directgov firefox6 domain-conscious screengrab

Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.

Firefox uses Mozilla's volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.

While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.

The Public Suffix List sets out these registration policies for the world's 300-odd top-level domains in a simple list form. It's licensed under the GPL and also used by Chrome and some anti-spam software.

Because the PSL now classifies gov.uk as a single domain owned by a single entity, rather than thousands of different webmasters at thousands of departments, Firefox does too.

This, according to discussions on Mozilla's bug-tracker, Bugzilla, could give rise to cookie leakage.

It is possible that a cookie set by, say, HM Revenue & Customs could be read by, for example, Tower Hamlets Council or the British Embassy in Iraq.

But the risk is quite small, according to Mozilla Foundation volunteer Jothan Frakes, one of the half-dozen main contributors to the Public Suffix List.

For an HMRC cookie to be read by other government websites, HMRC would have to be setting cookies for the whole of .gov.uk, he said. An hmrc.gov.uk cookie would be safe.

Rather than some kind of government conspiracy, the problem appears to have been caused by an oversight, according to Simon McCalla, director of IT at .uk registry Nominet.

"We have not have received a request from anybody to formally change the policy for .gov.uk," he said.

After being informed in May that the PSL contained incomplete information about .uk, Nominet submitted a change request, adding .gov.uk, .police.uk and others to the list, McCalla said.

The .gov.uk space appears to have been treated as if it has a single owner because, from Nominet's perspective, it does – responsibility for .gov.uk and .ac.uk was delegated to JANET in 1996.

McCalla acknowledged that the result is less than ideal, and said Nominet will now ask JANET if it agrees that .gov.uk should be given a status on the PSL more equivalent to .co.uk.

"I think it will be dealt with very quickly," he said. He added that maintaining an up-to-date entry for the UK on the voluntary, non-standards PSL is "not a part of Nominet's operating procedures".

Due in part to its age, .uk is an unusual case, having a mix of second- and third-level domain owners.

While most second-level domains, such as .org.uk and .co.uk, are managed by Nominet, a handful – such as british-library.uk and parliament.uk – belong to third parties. ®

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Brit celebs' homes VANISH from Google's Street View
Tony Blair's digs now a Tone-y Blur
Virgin Media goes titsup AGAIN. The cause? Yet MORE DNS strife
ISP refuses to comment on why outages keep happening
ISPs haul GCHQ into COURT over dragnet interwebs snooping
'Exploitation of network infrastructure is unlawful,' says co-claimant
What the world needs now is... a Bluetooth-enabled baby's dummy
Oh NO! Temp-sensor pacifier just got dunked in my tea
BT slapped down by BSkyB over O2 broadband 'switch off' porkies
Ad watchdog tells one-time state monopoly to behave
REVEALED: The sites blocked by Great Firewall of Iraq
Reg obtains list of banned sites in crisis-hit nation
Islamic terror peril hits US giants' phone wallets
'We have made the decision to rebrand' says ISIS Isis
Siri, did we just take a hit in that voice-recog patent fight?
Yes, Apple, you did, says this Beijing court
Street View Wi-Fi slurp nightmare: US Supremes snub Google's appeal
Ad giant must now face up to class-action suit over wireless data grab
FTC: T-Mobile USA took '$100s of millions' in bogus txt charges
Network CEO blasts Feds' allegations as baseless
prev story

Whitepapers

How modern custom applications can spur business growth.
In this whitepaper learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
The Power of One eBook: Top reasons to choose HP BladeSystem
Only the Power of One delivers leading infrastructure convergence, availability and scalability with federation, and agility through data center automation.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximizing your infrastructure through virtualization
Virtualization continues to be one of the most effective ways to consolidate, reduce cost, and make data centers more efficient.
Build a Business Case: Developing Custom Apps
In this whitepaper learn how to maximize the value of custom applications by accelerating and simplifying their development.