Closed Bug 1023367 Opened 10 years ago Closed 10 years ago

Decide what to do about sch.uk

Categories

(Core Graveyard :: Networking: Domain Lists, defect)

Product:
Core Graveyard
Component:
Networking: Domain Lists
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: gerv, Unassigned)

Details

The UK entry is, or will soon be (bug 1015214):

uk
foo.uk
bar.uk
...
*.sch.uk

The question is whether the PSL needs "sch.uk" on the list as well as "*.sch.uk".

UK schools register as myschool.geographicalarea.sch.uk - e.g. stanthonys.oxon.sch.uk or sthildas.cumbria.sch.uk. So the correct PSL entry is *.sch.uk. However, the UK registry points out that if someone manages to spoof a site for "sch.uk", e.g. by DNS manipulation, it will not be seen as a public suffix and so cookies could be set for it, which would then be sent across the entire *.*.sch.uk subspace.

The reason it would not be seen as a public suffix is that it wouldn't match the "*.sch.uk" rule, or any other long rule. It would only match the "uk" rule, so would be treated like "sch.com", and so cookies could be set.

The scenario above relies on DNS spoofing, and it's not clear at all why someone with that power would want to attack in this way, as opposed to straightforwardly spoofing the site they cared about. But there may be other vulnerabilities than cookies caused by this. 

This "loophole" or issue is caused when we have *.foo.bar in the PSL but not foo.bar. 

We could:
a) ignore the issue; it's unlikely to be a problem in practice 
b) update the algorithm which interprets the PSL to handle this case
c) add sch.uk (or, more generally, any sub-parts of a more complex part) to the PSL - we'd also need to make changes in .jp.

Gerv
Further investigation in bug 1015214 suggests that our Firefox C++ code can't cope with two rules which differ only in their not-ness or wildcard-ness, because it stores them in a hash keyed on the domain name only (without ! or *). Which is a bit sucky... but perhaps others have made the same mistake.

Given that, I think we should go for option a). Anyone disagree?

Gerv
Option a) it is.

Gerv
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Resolution: FIXED → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.