ugh, I also need to prevent against confused deputy attacks against localhost because we're not running ocap operating systems and perimiter security is a failure
if anyone wants a fun story about just how dangerous confused deputies can be, see https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html which is a security vulnerability I bumped into which allowed for arbitrary code execution against guile processes that were being used for local development
Some lessons:
- never trust anything that says it's "localhost-only". It probably isn't. Use unix domain sockets instead.
- Someone can always blame someone else for confused deputy attacks because in a sense, the program is behaving "correctly"
- Object capability people will continue being cassandras crying about why perimiter security is a failure and will be *right*. Perimiter security is eggshell security. But nobody listens anyway because "why not, ACLs seem to work"
Unix domain sockets are still perimeter security, but are a bit less likely to be exploited because many services may accidentally do http requests against localhost and won't realize how many things they can fuck up
@freakazoid yes, but filesystem access protections are still hot garbage. See the original confused deputy attack: http://cap-lore.com/CapTheory/ConfusedDeputy.html
@freakazoid or rather I should say unix stye filesystem protections.
@cwebber I just meant it's another advantage over localhost sockets. I'm definitely a believer in ocap security.
@cwebber now I'm terrified
@qwazix turn that terror into motivation to read up on object capability security to learn how to build a better and safer world ;)
@cwebber And at least they have normal filesystem access protections, whereas there are none at all with localhost connections.