1. 28

  2. 2

    You can prevent the DNS rebinding trivially today. Install unbound, use it. Explicitly whitelist the domains which you do want to allow to resolve into RFC1918 or localhost space.

    The dnssec-trigger project has binaries available to also handle hotspots, with desktop integration, but that system is a little temperamental so be careful.

    1. 1


      1. 10

        Maybe someone stole his database?

        (I updated the URL.)

        1. 1

          Huh, bizarre. I just copy and pasted the URL, and the fetch title button worked fine so it must have worked at some point! Thanks jcs for fixing it.

        2. [Comment removed by author]

          1. 12

            I think your response is unjustly flippant. Are you saying that the only reason to run redis, memcached, elastic search, and anything else that could be used in this way is because one is a “jackass web hipster”?

            And which software are you calling broken? The local database? The web browser? Javascript? DNS? I don’t know if you actually read the article, but it’s not like any of the software used in this attack have an obvious bug in them, it’s a confluence of well-intentioned ideas that end in a bad result.

            1. 5

              I thought it was a somewhat reasonable response to a clickbait headline. If the parent’s post is implying that only “jackass web hipsters” run that software, then the article is implying that anyone who doesn’t isn’t a developer.

              A sentence like “the default state is vulnerable” is a pretty good way to diagnose something being broken. The paper about sending requests to local services is old enough to gets its learner’s permit in many countries (and could drink in Germany if accompanied by an adult), but apparently these services still don’t have sane defaults. I think most people would blame the router that by default can be reset with <img src="" /> without requiring authentication. This is effectively the morale equivalent of that.

              1. [Comment removed by author]

                1. 3

                  I downvoted you as “troll”. I did this because I felt your responses were not being constructive and being too simplistic in their world view. For example, the common view is that your own machine is a safe environment, especially if you’re behind some firewalls. It’s easy to see why one would believe that and not set a password for local development. Clearly you care about good software and doing things well, it would be great if you focused your energy on more constructive comments. Perhaps explaining why one’s local environment should not be considered safe. Or for how the browser infrastructure could be hardened.

                  1. 4

                    CSRF is a well known attack vector and unsafe defaults too, I would call it broken too.

              2. [Comment removed by author]

                1. 14

                  I’ve run into this strange use of the term “hipster” a few times among OpenBSD people, which seems almost exactly inverted to me. Admittedly the term means almost anything anyone want it to mean, but still. Example: the person who runs a web stack full of old-school C-on-CGI and some interesting but niche bits of technology, and named it to be a homophone of “bitches”, bills it as “hipster-free” (!). It’s like walking into a coffee shop that grinds its own coffee on manually operated copper grinders from the 1880s, and hearing them complain that other people are hipsters. Like people who drink McDonald’s coffee.

                  1. 7

                    A more appropriate analogy would be if modern coffee grinders had a tendency to randomly explode and cause grievous injuries to anyone in the vicinity, and yet people were abandoning the older, proven, coffee grinders that exploded less often and adopting ones that exploded more. To the point that every week there’s new articles out with tips on how to prevent your coffee grinder from exploding, and some people publish articles on how to make other people’s coffee grinders explode. And that one coffee shop operates a coffee grinder that has been continually improved and refined for over 20 years and only has two documented accounts of exploding and yet barely anyone uses it.

                    Also, BCHS is pronounced beaches, it’s right there on the website with an IPA key and everything.