Re: [Bug-wget] Supercookie issues

[Ángel González]

On 09/11/12 16:27, Tim Ruehsen wrote:
> While implementing cookies for Mget (https://github.com/rockdaboot/mget) 
> conforming to RFC 6265, I stubled over http://publicsuffix.org/ (Mozilla 
> Public Suffix List).
>
> Looking at Wget sources discovers, that there is just a very incomplete check 
> for public suffixes. That implies a very severe vulnerability to 
> "supercookie" 
> attacks when cookies are switched on (they are by default).
>
> Since Mget was ment as a Wget2 candidate (all or parts of the sources), 
> please 
> feel free to copy the needed sourcecode from it (see cookie.c/cookie.h and 
> tests/test.c for test routines). Right now, I just don't have the time to do 
> the work, but of course I will answer your questions.
>
> ShouldN't there be a warning within the docs / man pages.
> What do you think ?
>
> Regards, Tim
I see little reason for concern about supercookies on wget given that it
is unlikely
to use it for different "tasks" in the same invocation, and cookies are not
automatically loaded/saved accross invocations.
And for having a supercookie passed in the same run (eg. one website
redirected
to the other), they are probably cooperating domains, so the supercookie
doesn't
add much information.
You would need to be using --load-cookies and --save-cookies to allow such
supercookie spying.
The worst case is probably if the cookie file was shared with a browser,
or it was
taken from a browser (with many cookies unrelated for what is intended) and
passed to wget with --load-cookies and wget sent more cookies than
expected .

Although not too important, it should be fixed, of course. The Mozilla
Public Suffix
List isn't very simple for reuse, its format is designed for how they
use it internally.