Aral Balkan
Today I learned that cookies do not provide isolation by port.
I guess that’s because, in 30 years of web development, I had never locally tested multiple instances of a peer-to-peer web app that used cookies for sessions before.
PS. You can just test from different loopback addresses. e.g., 127.0.0.1:443, 127.0.0.2:444, etc. Of course, your local TLS certificate has to include those IPs or you’ll see certificate errors if testing over HTTPS.
Ed Ross
@aral
Now you know this, what repercussions do you see? Do you think this could lead to any sort of privacy (or other) exploit? What could be done with this knowledge?
Aral Balkan
@edaross None unless you run different web apps at different ports and expect cookie isolation :) For Kitten/Small Web, none, as at deployment only one site runs at a domain.
Aral Balkan
@claudius I’m confused. How does that get you cookie isolation? (Which is a property of how browsers deal with cookies on the client side.) What am I missing? :)
(In this case, again, unless I’m missing something, you don’t really need cookie isolation since you own all the services.)
Claudius
@aral this is actually a real-world-concern in my opinion. My scenario: Have a off-the-shelf NAS (like QNAP, Synology ...) and have it serve the friggin admin interface on one port (which is common) **and** use their included software (like PhotoStation for QNAP) or the included webserver to host entirely different software all on the same hostname just on different ports.
Without isolating cookies by port, you can now gain admin cookies.
I did something like this for _years_.
Aral Balkan
@enp3s0 Setup? Not sure how much detail you need so:
- Fedora Silverblue
- Kitten (Node.js) https://codeberg.org/kitten/app
- Auto Encrypt Localhost https://codeberg.org/small-tech/auto-encrypt-localhost
- Firefox
Simon
@aral Today I learned there are clients apart from Internet Explorer that care about IP addresses in certificates. May I ask what the setup you're using to test this is?
Aral Balkan
@dan Ooh, I did not know about the subdomain thing. That’s nice :)
(Looks like Firefox implements it too. I’ll update the issue on Auto Encrypt Localhost to perhaps add support for some named localhost subdomains too as they’re nicer than IP addresses… hey, aesthetics matter too!) :P
Edit: Done, thanks! :) (https://codeberg.org/small-tech/auto-encrypt-localhost/issues/6)
Daniel
@aral There's also subdomains of localhost e.g. instance1.localhost
& instance2.localhost. I'm not sure if Firefox implements that, but Chrome will always resolve subdomains of localhost to localhost.
You could also run a proxy (caddy, nginx, etc) on 443 and have it send the different subdomains/IPs to the different instances.
Yea, cookies are effectively just host+path :)
Aral Balkan
@claudius Gotcha, thanks :)
Claudius
@aral no, it does not help. I'm just saying that the missing isolation across ports _does_ come up in the real world. And I would even argue that it's not that uncommon.
So: yes this is certainly a problem.
Aral Balkan
@dan Just released an update to Auto Encrypt Localhost that now supports place1.localhost - place4.localhost as well as 127.0.0.1 - 127.0.0.4.
Thanks again for the pointer, Dan, appreciate it :)
Daniel
@aral glad I could help :)
On the topic of TLS I was about to suggest a wildcard certificate `*.localhost` but it turns out that's not allowed by browsers 😅 via https://stackoverflow.com/a/68514822/3582903
Aral Balkan
@dan Also good to know :)
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.