STE WILLIAMS

That UK.gov Firefox cookie leakage snafu explained

If you’ve used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.

Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0’s new domain-conscious security behaviour, only the gov.uk portion is shown in bold type.

directgov firefox6 domain-conscious screengrab

Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.

Firefox uses Mozilla’s volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.

While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.

The Public Suffix List sets out these registration policies for the world’s 300-odd top-level domains in a simple list form. It’s licensed under the GPL and also used by Chrome and some anti-spam software.

Because the PSL now classifies gov.uk as a single domain owned by a single entity, rather than thousands of different webmasters at thousands of departments, Firefox does too.

This, according to discussions on Mozilla’s bug-tracker, Bugzilla, could give rise to cookie leakage.

It is possible that a cookie set by, say, HM Revenue Customs could be read by, for example, Tower Hamlets Council or the British Embassy in Iraq.

But the risk is quite small, according to Mozilla Foundation volunteer Jothan Frakes, one of the half-dozen main contributors to the Public Suffix List.

In order for an HMRC cookie to be read by other government websites, HMRC would have to be setting cookies for the whole of .gov.uk, he said. An hmrc.gov.uk cookie would be safe.

Rather than some kind of government conspiracy, the problem appears to have been caused by an oversight, according to Simon McCalla, director of IT at .uk registry Nominet.

“We have not have received a request from anybody to formally change the policy for .gov.uk,” he said.

After being informed in May that the PSL contained incomplete information about .uk, Nominet submitted a change request, adding .gov.uk, .police.uk and others to the list, McCalla said.

The .gov.uk space appears to have been treated as if it has a single owner because, from Nominet’s perspective, it does – responsibility for .gov.uk and .ac.uk was delegated to JANET in 1996.

McCalla acknowledged that the result is less than ideal, and said Nominet will now ask JANET if it agrees that .gov.uk should be given a status on the PSL more equivalent to .co.uk.

“I think it will be dealt with very quickly,” he said. He added that maintaining an up-to-date entry for the UK on the voluntary, non-standards PSL is “not a part of Nominet’s operating procedures”.

Due in part to its age, .uk is an unusual case, having a mix of second- and third-level domain owners.

While most second-level domains, such as .org.uk and .co.uk, are managed by Nominet, a handful – such as british-library.uk and parliament.uk – belong to third parties. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/cookie_leak_bug_hits_gov_uk/

Comments are closed.