Feeds

That UK.gov Firefox cookie leakage snafu explained

Cockup, not conspiracy

The Power of One eBook: Top reasons to choose HP BladeSystem

If you've used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.

Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0's new domain-conscious security behaviour, only the gov.uk portion is shown in bold type.

directgov firefox6 domain-conscious screengrab

Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.

Firefox uses Mozilla's volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.

While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.

The Public Suffix List sets out these registration policies for the world's 300-odd top-level domains in a simple list form. It's licensed under the GPL and also used by Chrome and some anti-spam software.

Because the PSL now classifies gov.uk as a single domain owned by a single entity, rather than thousands of different webmasters at thousands of departments, Firefox does too.

This, according to discussions on Mozilla's bug-tracker, Bugzilla, could give rise to cookie leakage.

It is possible that a cookie set by, say, HM Revenue & Customs could be read by, for example, Tower Hamlets Council or the British Embassy in Iraq.

But the risk is quite small, according to Mozilla Foundation volunteer Jothan Frakes, one of the half-dozen main contributors to the Public Suffix List.

For an HMRC cookie to be read by other government websites, HMRC would have to be setting cookies for the whole of .gov.uk, he said. An hmrc.gov.uk cookie would be safe.

Rather than some kind of government conspiracy, the problem appears to have been caused by an oversight, according to Simon McCalla, director of IT at .uk registry Nominet.

"We have not have received a request from anybody to formally change the policy for .gov.uk," he said.

After being informed in May that the PSL contained incomplete information about .uk, Nominet submitted a change request, adding .gov.uk, .police.uk and others to the list, McCalla said.

The .gov.uk space appears to have been treated as if it has a single owner because, from Nominet's perspective, it does – responsibility for .gov.uk and .ac.uk was delegated to JANET in 1996.

McCalla acknowledged that the result is less than ideal, and said Nominet will now ask JANET if it agrees that .gov.uk should be given a status on the PSL more equivalent to .co.uk.

"I think it will be dealt with very quickly," he said. He added that maintaining an up-to-date entry for the UK on the voluntary, non-standards PSL is "not a part of Nominet's operating procedures".

Due in part to its age, .uk is an unusual case, having a mix of second- and third-level domain owners.

While most second-level domains, such as .org.uk and .co.uk, are managed by Nominet, a handful – such as british-library.uk and parliament.uk – belong to third parties. ®

Maximizing your infrastructure through virtualization

More from The Register

next story
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.