Re: Evil Cookies.

[tma () OSA COM AU (Tim Adam)]

Dylan Griffiths wrote:
> Thomas Reinke wrote:
> > There is no easy patch to this problem. The only solution I
> > can think of, which is not an easy one, would be to have browsers
> > have intimate knowledge of what constitutes an organization's
> > "domain of influence", and limit cookies accordingly. This
> > is essentially impossible to implement.
>
> > (Consider  domain.city.state.country - where is the allowable
> > domain of influence here? Probably 4 levels deep, but how
> > to indicate this to the browser).
>
> Perhaps this would be an exercise best left up to the user, as there is
> currently no way to indicate the scope of the authority (harmless TLD,
> country, normal domain, etc) in the DNS system.

A similar problem existed in WPAD (Web Proxy Auto-Discovery)
for IE 5.0: see MS Security Bulletin MS99-054 at
http://www.microsoft.com/technet/security/bulletin/ms99-054.asp

The browser was walking up the DNS hierarchy looking for the name wpad,
in some cases making queries outside the organization's trust boundary.

Tim.

--
Tim Adam  Tim.Adam () osa com au     http://www.osa.com
Software Development Engineer   Phone: +61 3 9895 2199
Open Software Associates Ltd.   Box Hill VIC Australia
 Proven Solution Deployment for the Global Enterprise