[Bug 163774] Questions about domain name policies in /usr/share/apps/khtml/domain_info

[Sent to this list per request of Christophe Giboudeaux. Please copy
me in the anwsers, I'm not subscribed to this list.]

http://bugs.kde.org/show_bug.cgi?id=163774         

Konqueror has a file named /usr/share/apps/khtml/domain_info which, on
my system, contains:

twoLevelTLD=name,ai,au,bd,bh,ck,eg,et,fk,il,in,kh,kr,mk,mt,na,np,nz,pg,pk,qa,sa,sb,sg,sv,ua,ug,uk,uy,vn,za,zw

I do not find where it is documented, I assume it is maintained by
hand and is related to cookie policy.

1) Can you explain what this file is for and what precise criteria are
   used to be included in it?

2) Some TLD like ".fr" (for which I work) but also ".af", ".dz", etc,
   register both in the TLD and in subdomains. How is it handled?

3) How is this file maintained? Suppose we open ".pm" (which we,
   AFNIC, also manage) tomorrow with a "2 level" policy, how long will
   it take for this information to arrive in every Konqueror?

On 6/11/08, Stephane Bortzmeyer <bortzmeyer+kde@...> wrote:
IIRC it is to deal with the cross-domain cookie issue Paul Johnston
and I reported in 2004. See
http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt

Cheers

Rich.

On Wednesday 11 June 2008 13:33:34 Stephane Bortzmeyer wrote:
> 3) How is this file maintained? Suppose we open ".pm" (which we,
>    AFNIC, also manage) tomorrow with a "2 level" policy, how long will
>    it take for this information to arrive in every Konqueror?

In every Konqueror running? Probably never.

We'll add it to the next releases as soon as we get the information from a
trustworthy source. But changing released versions isn't something we can do.

Our downstream distributors may be able to repackage the file for their own
next releases without updating Konqueror, but we can't force them either.

--
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

On Mon, Jun 16, 2008 at 01:27:54PM +0100,
 Richard Moore <richmoore44@...> wrote
 a message of 21 lines which said:

> IIRC it is to deal with the cross-domain cookie issue Paul Johnston
> and I reported in 2004. See
> http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt

Well, the attacks described in this paper are all because of bad
practices from Web applications, no? For instance, the attack:

  1) http://example.ltd.uk/ is identified for attack. It uses the "sid"
     cookie to hold the session ID.
  2) Attacker obtains attacker.ltd.uk domain
  3) User is enticed to click link to http://attacker.ltd.uk/
  4) This site sets the "sid" cookie with domain=.ltd.uk
  5) When user logs into example.ltd.uk, they are using a sesion ID known
     to the attacker.
  6) Attacker now has a logged-in session ID and has compromised the
     user's account.

works only if, at step 5), example.ltd.uk is stupid enough to reuse
the session ID (a fresh one should be generated if there is a
successful authentication).

Also, it does not address my other questions:


2) Some TLD like ".fr" (for which I work) but also ".af", ".dz", etc,
   register both in the TLD and in subdomains. How is it handled?

3) How is this file maintained? Suppose we open ".pm" (which we,
   AFNIC, also manage) tomorrow with a "2 level" policy, how long will
   it take for this information to arrive in every Konqueror?

On Thursday 19 June 2008 10:32:48 Stephane Bortzmeyer wrote:
> 3) How is this file maintained? Suppose we open ".pm" (which we,
>    AFNIC, also manage) tomorrow with a "2 level" policy, how long will
>    it take for this information to arrive in every Konqueror?

We don't have any procedure for updating that file. It comes probably from
reports of bugs and someone updates. Sending an email to this list is a way
as well. And if it comes from a trusted source (like nic.fr) we can probably
speed up the change.

But there's no mechanism in place for distributing the updated file short of a
new KDE release. And there will be no more large KDE 3.5 releases, and
probably no more 4.0 releases either. Linux distributors might pick up the
changes we make if we let them know, so they update their packages (whether
it applies to old, current or new versions of the distributions, we can't
really tell).

--
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358