Implementer's notes

A while back I submitted two Internet Drafts that try to fix a problem with limiting which domains a cookie can be set for (known as the "Cookie Monster Bug"), one using DNS to validate the domain (the method Opera is currently using), and one using a new protocol to retrieve information that can be used to validate the domain.

Reception to the drafts was mixed, as mentioned earlier some in the DNS/Registry community do not like the methods proposed because of the assumptions made about the DNS hierarchy. On the other hand the Mozilla developers have already started implementing a modified version of the -00 SubTLD draft.

I have now submitted updated drafts to the IETF.

The DNS validate draft is almost unchanged, there's just been some minor tuning.

The SubTLD draft has been updated with a new XML based file-format that makes the format more expandable and more readable. Thanks to Anne van Kesteren for the helping me with that.

These drafts, and the Cookie v2 draft I submitted last week are the alternatives we at Opera have been able to see for how to solve the cookie domain limitation problem. We would like suggestions not just for how to improve our proposals, but also alternative proposals (please consider submitting them as IETF Internet Drafts) that will fix the problem more efficiently that ours do.

While suggestions can be submitted directly to me, I would recommend that discussions be held in the IETF HTTP WG mailing list.

Links to the IETF Internet Drafts repository:

DNS Validate
SubTLD

Archive copies:

DNS Validate: draft-pettersen-dns-cookie-validate-01.txt
SubTLD: draft-pettersen-subtld-structure-01.txt

As I said in my previous article about cookie security, the current HTTP cookie specifications (Netscape cookies and RFC 2965) have a couple of serious security problems due to the way the server can specify the recipients of the cookie.

I've suggested two methods for dealing with the problem within the current cookie specifications, one using DNS lookups, which Opera is currently using, and the other requiring each TLD registry to post information about their domain structure.

Neither the TLD registries nor the DNS protocol people seem to want to use either of the proposals, basically because the proposals assigns "meaning to the content of labels and the position of labels" which they consider a mistake (apparently there are similar assumptions/problems in other proposals to the IETF, as well).

I certainly understand their reservations, but the abovementioned methods are the best I have been able to think of which that can control the existing problem without "breaking the Internet".

There is another option, however, which I considered mentioning as "Alternative 0" in my recent presentation of my proposals to the IETF DNS Operations Work Group, but it is a "break the Internet" proposal: Redefine how cookies are shared among servers, and disable the old versions, both Netscape and RFC 2965 cookies, in newer browsers (not necessarily at the same time).

So, how would a new cookie standard look?

For the most part I think it will look like the current RFC 2965 but with a few modifications:

• Remove the Domain attribute, and replace it with a SubDomain flag-attribute.
  
• Redefine the Path attribute so that the specified path must be a subpath of the default path of the URL setting the cookie.
  
• Add a $Origin attribute when sending cookies to the server, identifying the server setting the cookie
  
• Use the RFC 2965 request cookie attributes ($Domain, $Path) and $Origin for all cookies, also for Netscape cookies.
  

The current rules for the Domain cookie attribute are what have led to the problems I've described. The rules permit, with some restrictions, the server to specify any of its (grand)parent domains, implicitly assuming that the server's administrator is in control of that domain or permitted to send cookies to all servers in that domain. This is a dangerous assumption.

My suggestion is to remove the attribute completely, and only allow cookies to be set for one of two destinations: The server itself, or the subdomain (indicated by a Subdomain attribute) under the server, which has the same suffix as the name of the server. This means that server.example.com will be permitted to set cookies for itself, or to all servers x.server.example.com, but NOT to the domain example.com. This will restrict cookies to a domain where it is reasonable to assume the administrator has control, or is authorized to set cookies.

In a manner of speaking, this will make the server setting the cookie the main entrance of the site, with all content behind it.

The Path attribute has a similar interpretation as Domain: you can set a cookie for any parent path on your server (or domain), but not a subdirectory. Actually, the situation in Netscape cookies is a bit different, since Netscape never specifically said there was a path restriction when setting cookies, so the de-facto situation is that a server can set Netscape cookies (but not RFC 2965 cookies) for any path, without limitations. This is probably OK on a single-owner site, but not in shared hosting environment; The other website owners would not normally want to get somebody else's cookies.

My suggestion is that, if the abs-path of the URL setting the cookie is "/path/name", cookies should be limited to either the abs-path ("/path/name") portion of the URL setting the cookie, or to the default path ("/path/"), or to a path containg a prefix of "name" (e.g. "/path/na" or "/path/"+substring("name",x). As for domains, this will restrict cookies to an area of a website where it is reasonable to assume the administrator has control, or is authorized to set cookies.

When sending RFC 2965 cookies back to the server the client have to send along the Domain, Path and Port attributes that was used when the cookie was set. This was introduced to make the server able to distinguish which cookies it really wanted to use.

I suggest two changes to this format:

1. This information should be sent with all cookies, also the old cookies, and the $Domain and $Path attributes should be sent even if they were not orginally defined (using the default values). This will make it possible for servers to verify that they are not getting cookies it should not receive.
   
   
2. A $Origin attribute, specifying which server originally set the cookie. This attribute is not really necessary (and might perhaps be omitted) for cookies where the Subdomain attribute mentioned above is used, but will defintely be useful when handling
   Netscape and RFC 2965 cookies. It could also help with debugging.
   

Another possibility I'm considering is whether or not there should be an upper limit for how long a cookie can be valid. There are lots of servers setting cookies valid for 10 to 30 years. Are such long-lived cookies really necessary? Should we put some restriction at one, two or five years, or some other number of years? At the very least, perhaps a new specification should make it clear that a client MAY enforce an upper time limit for how long a cookie can be valid.

I know many people, in particular Web designers, will react strongly to some, or all, of these proposals.

What I hope people will understand is that we have a potentially serious security and privacy problem within the current definition of how cookies are used, and that we should fix the problem.

Two of the possibilities are what I have proposed earlier, but those are, as a couple of commenters in the IETF DNSop Work Group put it, "kludges" and "hacks".

Another possibility is to make cookies safe (or safer) by default. That will, however, require a rewrite of the rules and deprecation of the old-style cookies, as suggested above.

Websites implemented according to the prposed definition above are, fortunately, compatible with the old system. During the transition to the new cookies, both types of cookies can be used.

What we need now are more suggestions for how to secure cookies. My suggestions are the best I have been able to think of. Perhaps somebody else can propose better solutions, with lesser impact on existing systems than my proposals?

Cookies, small chunks of data placed on your computer by websites so that they can be returned to the website, have in the past 10+ years become a mostly useful part of online life. They are used "everywhere", from the beneficial login credentials used in these forums and various shopping carts, to the more ambivalent uses for advertisement targeting and other user tracking.

It is the latter point that makes many people a bit wary of cookies, and makes some people almost "paranoid" about them.

Let's get one thing settled right away: Cookies can only be sent to the server that set the cookie, or the group of servers to which that server belongs, as specified by the name of the server and the server itself. A cookie cannot be sent to a server outside that group.

Well, some bright readers are probably already asking: How do you define "group"? And how do you keep the groups from growing too big? Good questions, and that is what the rest of this article will be about.

Let's start with a simple example:

Example 1: www.example.com belongs to two groups, ".example.com" and ".com". The first, ".example.com", is perfectly acceptable, but what about the second one ".com"? Do we really want sites to be able to send cookies to all .com domains? No, we don't (add really capital letters and a couple of exlamation marks, if you want). So, the target group must contain at least two components (or an internal dot, as the specification say).

Fortunately, the specifications already says that for generic domains (like .com) the target domain must contain at least two components. So we are safe there.

Now, (example 2) what about www.example.no? Obviously, here we can use the same rules as for the generic domains (example 1).

And what about (example 3) www.example.co.uk? Obviously, since co.uk is a Top Level-like Domain we cannot permit cookies to be set for co.uk. That would permit a server to send a cookie for all servers in the co.uk area. But how do we consolidate this with example 2?

Or (example 4) what about www.example.suburb.city.state.us? It is equally unacceptable that cookies be set for the domain suburb.city.state.us.

This is starting to look really complicated, to put it mildy.

What we are trying to avoid is accidental, intentional, or even malicious interference with another service (e.g. Bank1 and Bank2 should not necessarily know about each other's customers, and if they want/need to share that information there are better means available to achive such sharing). Such interference can also have security implications, e.g. a specially crafted cookie might be used to block access to a site, or interfere with its operation.

Further, we want to limit cross-site information gathering. In many cases such information can be connected to a physical person (a few years ago DoubleClick got into serious trouble when they wanted to do just that). When such gathering is performed, the business connections should be out in the open, not hidden, as would be the case if any site could join the network clandestinely, by starting to look for a wide targeted cookie without informing the user.

Netscape, which wrote the initial specification for cookies, specified that the target domains for cookies had to contain at least one internal dot (example.com) in the generic domains like .com, while in all other top level domains (TLDs) the targets had to contain at least two internal dots (example.co.uk). That makes it impossible to set example.no in example 2 as the target domain, while it will permit cookies to be set for city.state.us. Oops! We've got double trouble: A rule that is too restrictive and too relaxed at the same time.

The second part of the rule, about non-generic domains, was never propely implemented by anyone (including Netscape and Opera), possibly because of example 2 (which is completely valid, from a practical point of view), and the rule was also easy to miss: It was a single sentence inside a larger paragraph. In late 1998 this missing check became notorious as the "Cookie Monster Bug". More about the consequences of that below.

The next versions of cookies (RFC 2109, RFC 2965) tried a different track: Cookies can only be set for the parent domain of the server, meaning that www.example.no can set cookie to example.no, www.example.co.uk to example.co.uk, but not co.uk, and www.example.suburb.city.state.us can set to example.suburb.city.state.us, but not suburb.city.state.us.

Now, this looks much better, but ... hmmmm ... what if somebody put the server at example.co.uk or example.suburb.city.state.us? Then they could set a cookie for, respectively, co.uk or suburb.city.state.us. Ooops, again! Not quite as watertight as we would prefer.

Browser vendors tried several ways to fix the Cookie Monster Bug. One was a black list of some second level domains, like "co", "com", "ac" etc, but they did not (and cannot) get every such TLD-like subdomain.

After the "Cookie Monster Bug" was discovered, Opera initially tried the double-dot-rule, and then the one-level-up approach, but neither worked very well.

The primary problem is: We want to let servers on a site be able to share information with the other servers on the site. But: How do you tell a valid site domain like example.no from the co.uk and suburb.city.state.us-type Top Level-like (non-site) domains?

It is not realistic to use short blacklists, there are too many ways each nation wants to do things, and the names cannot be put into nice convenient patterns (this is type1, that is type 2), making it impossible to use an heuristic method.

There is only one realistic option: We have to have some means of finding out which type of domain we are dealing with. This options has two alternatives: Either a big, expensive(!) database, or some kind of rule-of-thumb method.

Here at Opera we went for the rule-of-thumb method: When Opera is checking a cookie whose target domain matches certain criteriea (e.g. it is not a .com domain), we do a DNS name lookup for the target domain, to see if there is an IP address for that domain. If there is an IP address for the domain (e.g. example.no) we assume that the domain is a normal company domain, not a co.uk like domain, and therefore safe. If there is no IP address we assume that the domain is co.uk-like and therefore unsafe, and only allows the cookie to be set for the server that sent the cookie.

Unfortunately, this can break sites that do not have an IP address for their domain, but that is quite easy to fix for the webmaster, and it is also quite common to allow surfers to access the website without having to write out the "www." part, many also use this name in their advertising, so this is not an unsurmountable problem. Some sites even put their main site on the domain name, rather than at the www name.

Additionally, it is possible to get past this problem by using Opera's cookie filters to add an accept filter for the domain.

A bit more serious is the fact that some co.uk-like domains actually define an IP address for their domain, for example to provide a directory service. Alright, back to the drawing board.

After investigating many of the alternatives to securing the domain specification, only one alternative appears to do the job as well as it is possible to do it: A complete database of all co.uk-like domains, or subTLDs as I call them.

The problem is still the same one that shot down the idea the first time: It will be prohibitively expensive for a single company to examine all Top Level Domains, and their policies, in order to generate the list, and to maintain it.

The best solution appears to be one often used in Computer Science: "Divide and Conquer"¹. In this case, spread the workload of building the database as widely as is efficient and possible, find the people best suited to create and maintain the list. In my opionion those people are the registries that maintain each Top Level Domain.

The task can be performed by others, but these people will have to spend much more effort gathering, organizing, and assuring the quality of the information, than the companies in charge of the policies and the systems.

About three months ago I released an Internet Draft proposing a way of implementing such a database, and how clients, like Opera can use it to secure their cookie support. It will also be possible to use the specification for other operations.

At the same time, to document the system, I relased another draft describing Opera's implementation of the DNS validation of cookie domain system.

The drafts are available from the IETF's servers: DNS validate and subTLD

There are other issues related to control of cookies, in particular within shared hosting services, but those problems require different solutions, and I am also working to solve this problem, but it is still some way to go before this is ready to be published.

Please note: Some changes are planned, e.g. using another file format, probably XML. It may also turn out that other protocols can be used instead.

Feel free to send me comments and suggestions, either direct or on the IETF's HTTP Work Group mailing list.




¹ "Divide and Conquer" is a procedure by which a task is broken into smaller portions that can be handled independently, and then put back together, in a more efficient manner than if one tried to do the whole job in one go. It is often possible to repeat the procedure on the smaller portion. It should not be confused with the more nefarious political and military meaning of the expression.


Update September 21st:

As the drafts have now expired I have uploaded archive copies. The links above has also been updated.

draft-pettersen-dns-cookie-validate-00.txt
draft-pettersen-subtld-structure-00.txt