Feeds

That UK.gov Firefox cookie leakage snafu explained

Cockup, not conspiracy

HP ProLiant Gen8: Integrated lifecycle automation

If you've used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.

Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0's new domain-conscious security behaviour, only the gov.uk portion is shown in bold type.

directgov firefox6 domain-conscious screengrab

Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.

Firefox uses Mozilla's volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.

While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.

The Public Suffix List sets out these registration policies for the world's 300-odd top-level domains in a simple list form. It's licensed under the GPL and also used by Chrome and some anti-spam software.

Because the PSL now classifies gov.uk as a single domain owned by a single entity, rather than thousands of different webmasters at thousands of departments, Firefox does too.

This, according to discussions on Mozilla's bug-tracker, Bugzilla, could give rise to cookie leakage.

It is possible that a cookie set by, say, HM Revenue & Customs could be read by, for example, Tower Hamlets Council or the British Embassy in Iraq.

But the risk is quite small, according to Mozilla Foundation volunteer Jothan Frakes, one of the half-dozen main contributors to the Public Suffix List.

For an HMRC cookie to be read by other government websites, HMRC would have to be setting cookies for the whole of .gov.uk, he said. An hmrc.gov.uk cookie would be safe.

Rather than some kind of government conspiracy, the problem appears to have been caused by an oversight, according to Simon McCalla, director of IT at .uk registry Nominet.

"We have not have received a request from anybody to formally change the policy for .gov.uk," he said.

After being informed in May that the PSL contained incomplete information about .uk, Nominet submitted a change request, adding .gov.uk, .police.uk and others to the list, McCalla said.

The .gov.uk space appears to have been treated as if it has a single owner because, from Nominet's perspective, it does – responsibility for .gov.uk and .ac.uk was delegated to JANET in 1996.

McCalla acknowledged that the result is less than ideal, and said Nominet will now ask JANET if it agrees that .gov.uk should be given a status on the PSL more equivalent to .co.uk.

"I think it will be dealt with very quickly," he said. He added that maintaining an up-to-date entry for the UK on the voluntary, non-standards PSL is "not a part of Nominet's operating procedures".

Due in part to its age, .uk is an unusual case, having a mix of second- and third-level domain owners.

While most second-level domains, such as .org.uk and .co.uk, are managed by Nominet, a handful – such as british-library.uk and parliament.uk – belong to third parties. ®

Maximizing your infrastructure through virtualization

More from The Register

next story
Google Nest, ARM, Samsung pull out Thread to strangle ZigBee
But there's a flaw in Google's IP-based IoT system
Orange spent weekend spamming customers with TXTs
Zero, not infinity, is the Magic Number customers want
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
NBN Co execs: No FTTN product until 2015
Faster? Not yet. Cheaper? No data
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.