(Why, yes, I came up with the name, and had to find some bugs to be able
to post this.)
Summary
---
There are three fairly interesting flaws in how HTTP cookies were
designed and later implemented in various browsers; these shortcomings
make it possible (and alarmingly easy) for malici
On Sun, 29 Jan 2006, Amit Klein (AKsecurity) wrote:
> I tried setting a cookie for .com.pl, and I failed (that is, the browser
> did not respect it). If you set a cookie for .kom.pl, it will be OK (if
> you're in .kom.pl domain, that is).
Amit,
Mozilla/Firefox/Netscape are vulnerable to this fla
On Sun, 29 Jan 2006 01:50:23 +0100, Michal Zalewski <[EMAIL PROTECTED]>
wrote:
Problem #1 - trouble with these pesky foreigners
The mechanism for preventing overly relaxed cookie domain
specification seems to be broken in all majo
Yngve Nysaeter Pettersen wrote:
> > Problem #1 - trouble with these pesky foreigners
> >
> >
> > The mechanism for preventing overly relaxed cookie domain
> > specification seems to be broken in all major browsers. Some ancient
> >
On Fri, 3 Feb 2006, Glynn Clements wrote:
We are investigating ways to improve on this method, but as far as I can
tell, any improvement will require a coordinated effort by all the gTLD
and ccTLD registries.
Any improvement will require that browsers only pass cookies to
domains which are exp