Feeds

That UK.gov Firefox cookie leakage snafu explained

Cockup, not conspiracy

High performance access to file storage

If you've used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.

Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0's new domain-conscious security behaviour, only the gov.uk portion is shown in bold type.

directgov firefox6 domain-conscious screengrab

Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.

Firefox uses Mozilla's volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.

While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.

The Public Suffix List sets out these registration policies for the world's 300-odd top-level domains in a simple list form. It's licensed under the GPL and also used by Chrome and some anti-spam software.

Because the PSL now classifies gov.uk as a single domain owned by a single entity, rather than thousands of different webmasters at thousands of departments, Firefox does too.

This, according to discussions on Mozilla's bug-tracker, Bugzilla, could give rise to cookie leakage.

It is possible that a cookie set by, say, HM Revenue & Customs could be read by, for example, Tower Hamlets Council or the British Embassy in Iraq.

But the risk is quite small, according to Mozilla Foundation volunteer Jothan Frakes, one of the half-dozen main contributors to the Public Suffix List.

For an HMRC cookie to be read by other government websites, HMRC would have to be setting cookies for the whole of .gov.uk, he said. An hmrc.gov.uk cookie would be safe.

Rather than some kind of government conspiracy, the problem appears to have been caused by an oversight, according to Simon McCalla, director of IT at .uk registry Nominet.

"We have not have received a request from anybody to formally change the policy for .gov.uk," he said.

After being informed in May that the PSL contained incomplete information about .uk, Nominet submitted a change request, adding .gov.uk, .police.uk and others to the list, McCalla said.

The .gov.uk space appears to have been treated as if it has a single owner because, from Nominet's perspective, it does – responsibility for .gov.uk and .ac.uk was delegated to JANET in 1996.

McCalla acknowledged that the result is less than ideal, and said Nominet will now ask JANET if it agrees that .gov.uk should be given a status on the PSL more equivalent to .co.uk.

"I think it will be dealt with very quickly," he said. He added that maintaining an up-to-date entry for the UK on the voluntary, non-standards PSL is "not a part of Nominet's operating procedures".

Due in part to its age, .uk is an unusual case, having a mix of second- and third-level domain owners.

While most second-level domains, such as .org.uk and .co.uk, are managed by Nominet, a handful – such as british-library.uk and parliament.uk – belong to third parties. ®

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.