ugh, I also need to prevent against confused deputy attacks against localhost because we're not running ocap operating systems and perimiter security is a failure
Conversation
Notices
-
Christine Lemmer-Webber (cwebber@octodon.social)'s status on Thursday, 14-Jun-2018 21:16:18 UTC Christine Lemmer-Webber -
Christine Lemmer-Webber (cwebber@octodon.social)'s status on Thursday, 14-Jun-2018 21:19:29 UTC Christine Lemmer-Webber if anyone wants a fun story about just how dangerous confused deputies can be, see https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html which is a security vulnerability I bumped into which allowed for arbitrary code execution against guile processes that were being used for local development
-
Christine Lemmer-Webber (cwebber@octodon.social)'s status on Thursday, 14-Jun-2018 21:21:00 UTC Christine Lemmer-Webber Some lessons:
- never trust anything that says it's "localhost-only". It probably isn't. Use unix domain sockets instead.
- Someone can always blame someone else for confused deputy attacks because in a sense, the program is behaving "correctly"
- Object capability people will continue being cassandras crying about why perimiter security is a failure and will be *right*. Perimiter security is eggshell security. But nobody listens anyway because "why not, ACLs seem to work" -
Christine Lemmer-Webber (cwebber@octodon.social)'s status on Thursday, 14-Jun-2018 21:22:14 UTC Christine Lemmer-Webber Unix domain sockets are still perimeter security, but are a bit less likely to be exploited because many services may accidentally do http requests against localhost and won't realize how many things they can fuck up
-