[tptacek]

This is something Zalewski has written about: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-... --- if this kind of thing is interesting to you, his latest book, _The Tangled Web_, is excellent.

[nly]

That page, and the linked browsersec pages on Google Code, are terrifying. Time to burn it all down and start from scratch.

I was particularly stunned to learn HTTP Cookie headers can clobber 'secure' cookies set over HTTPS. Eye-popping.

[wglb]

And to increase your terror, check out http://lcamtuf.coredump.cx/postxss/

[purephase]

Another vote for The Tangled Web. It's a great read.

[homakov]

I read that post before, maybe I missed, but where he says about DoS possibilities of cookie tossing?

[tptacek]

Search for "Does this matter from a security perspective".

Also: take a crack at the CTF we set up. I think (a) you'll do well at it and (b) it'll be fun to watch you. http://microcorruption.com.

[homakov]

Yes, now I see. Weird it stayed not fixed, Public suffix list is not implemented in Chrome.

Anyway, the list is not even close to real solution (just had long discussion with @titanius on twitter why not). So many quirks and use cases of <sub>.domain.

> it'll be fun to watch you

uh. hmm, ok.

[wglb]

No pressure there.

[tptacek]

You too! You helped us plan the damn thing!

[mixedbit]

The attack was also discussed in details here: http://mixedbit.org/blog/2013/04/11/dos_attack_on_cdn_users....