This attack succeeds because "Cookies do not provide isolation by port" (RFC6265 Section 8.5).
What is the fix? If only the cookie spec allowed binding to specific ports...
But an alternate fix could be requiring web browsers to only connect to privileged ports. 80 and 443, or any port <1024, thwarting the unprivileged user from exfiltrating cookies.
Unfortunately this ship has sailed and web browsers now have to support unprivileged ports forever. A more practical defense, in practice, is to consider this scenario out of scope, and/or implement application-level authentication. I am with you, and would have advocated privileged ports to defend against these attacks (with http and ssh and other services), but am not optimistic it will gain any traction. The world has moved on, and even multi-user shell servers are becoming increasingly rare (as much as I use them - still a proud Super Dimension Fortress member)
Well, that's a bug in the HTTP cookie spec. Regrettable, but as you note something that should have been foreseen. There's absolutely no excuse, as RFC6265 itself notes "cookies contain a number of security and privacy infelicities."
An interesting parallel, Facebook and Twitter also do not allow downvoting, which may also have similar negative effects as Spotify's lack of dislikes:
> So Twitter artificially removes all the negative feedback (the downvotes) and only shows the positive feedback (the upvotes), leading many of their users to the mistaken impression that their insane ideas are immensely popular.
This is why I've setup my homelab with a hypervisor, you don't have to choose and can run each of these operating systems, for specific purposes they are best suited for. This is what I do:
Is OpenIndiana really better than FreeBSD or ZFS on Linux today? I’ve had a pretty great experience using ZFS with NixOS but I’m curious if I’m missing anything.
Yeah I think using ZFS on even Linux is fine now since they’re using the same code base at this point.(IME Ubuntu has the most painless experience as it ships with the kernel by default.)
Which hypervisor are you using for that? I used to run Xen for a similar purpose, but I ended up just running normal debian with a bunch of lxc containers instead after dealing with some Xen issues that were difficult to unravel.
> But what can we do to treat the cause, instead of just the symptoms?
By affecting the bottom line, increasing expenses and/or decreasing profits.
> If they stop working (or rather work less – it's a spectrum)
AdNauseam is an interesting attempt in this space - a browser plugin to automatically "click every ad to fight surveillance" (their words). By clicking everything, clicks become less valuable, at least in theory, but it has not really caught on.
> I feel the fix will be more along the lines of improving individual psychology and mental wellbeing, rather than entering the arms race of adversarial technology to block packet traffic (or whatever).
I agree with this. Ad blocking, ad clicking, packet blocking, is all thinking too small, always trying to catchup. It will always be behind and while useful for a niche subset of users, these kinds of technologies are more bandaids than a real solution to trigger fundamental changes to the advertising tracking industry.
What is a real, impactful solution? I don't know, but an area I have not seen explored much, considering by analogy:
Internet : Web ::
Big Tech : ???
That is, the web layered on top of the Internet, as a disruptively transforming application, extracting and providing value.
Can another technology be created to build on the foundations provided by Big Tech, delivering value they provide, while avoiding their tracking/advertising downsides? I have little idea what this would look like in practice (how do you disrupt a billion dollar industry?), but if someone can crack this nut, it may change the world. Startup idea elevator pitch: disrupt Big Tech.
Navidrome [2] is another relatively new option for music streaming servers. Lightweight, written in Go, can handle very large music collections, and is compatible with Subsonic/Madsonic/Airsonic.
The UI is pretty good by modern standards, the existing features work very well, it is very stable IMHO (at least with my 9300+ songs), it is very easy to install.
I have tried 'em all and I'm sticking with Navidrome!
Edit: I forgot, it's fast on a Raspberry Pi 3B, which some aren't.
Submission statement: starting in October of last year, YouTube conducted what has been called a "massive purge" of channels. The BitBurned directory is an index of such (former) channels, with links to where they can be found on "alt-tech" (in contrast to Big Tech) services, including: Bitchute, Parler, Gab, and Rumble.
Recent relevant articles of interest, showing this is an important topic:
JANUARY 9, 2017 AT 9:06
Recommended Policy Guidance for Potential Pandemic Pathogen Care and Oversight
"Adoption of these recommendations will satisfy the requirements for lifting the current moratorium on certain life sciences research that could enhance a pathogen’s virulence and/or transmissibility to produce a potential pandemic pathogen (an enhanced PPP)."
I had the same question - it appears the We Are as Gods documentary is not out yet. According to IMDB, it will be released in March 2021 at the SXSW film festival (March 16-20).
Another attack scenario applies if the shared server hosts a web server:
If you have a shell and can bind a port, listening for HTTP requests. Example: nc -vvl 8080
Trick a victim into visiting your malicious port: http://example.com:8080/
The attacker gets the victim's cookies for http://example.com:80/ (and https://example.com:443/, if the "secure" flag is not set). And all other ports.
This attack succeeds because "Cookies do not provide isolation by port" (RFC6265 Section 8.5).
What is the fix? If only the cookie spec allowed binding to specific ports...
But an alternate fix could be requiring web browsers to only connect to privileged ports. 80 and 443, or any port <1024, thwarting the unprivileged user from exfiltrating cookies.
Unfortunately this ship has sailed and web browsers now have to support unprivileged ports forever. A more practical defense, in practice, is to consider this scenario out of scope, and/or implement application-level authentication. I am with you, and would have advocated privileged ports to defend against these attacks (with http and ssh and other services), but am not optimistic it will gain any traction. The world has moved on, and even multi-user shell servers are becoming increasingly rare (as much as I use them - still a proud Super Dimension Fortress member)