[dns-operations] Monday rant againt the uses of the Public Suffix List

[Florian Weimer]

* Vernon Schryver:

> It might also be worth noting that co.uk as well as com, org and
> the few other TLDs that I tried just now lack A, AAAA, and MX RRs,
> so a browser could use a DNS test to reject some supercookies.

Doesn't work.  There aren't address records for enyo.de, but I could
currently set cookies for .enyo.de in browsers.  The address records
rule would break that, and I'm sure some web sites rely on it.

> However, please pardon me for being too stupid and senile to
> understand a difference that matters to me as a user between
> legitimate and other kinds of third party cookies such as between
> an HTTP server at www.example.com setting a cookie for domain.com
> from the same HTTP server setting a cookie at com or co.uk.

It's true that for cookies, the public suffix list doesn't make that
much sense.  Direct cookie-based tracking is too visible and leads to
questions.  Different, domain-specific cookies which vary over time
can still be correlated in the backend and are vastly better in this
regard.

The public suffix list is still useful for URL bar highlighting and
browser extensions such as NoScript.  Those are fairly narrow
applications, though.