Klipper/Fluidd is using a Cross-site cookie directed at www.klipper3d.org. My knee jerk is privacy violation... change my mind? #1822
Replies: 2 comments
-
|
Fluidd is (normally) served locally and runs on the browser, but doesn't have or use any cookies anywhere - feel free to check the source code, its right here! Having said that, there are quite a few unofficial forks around and we obviously have nothing to do with those. If you are experiencing issue, I would request that you post the full version as shown on the bottom right and what printer you are using so we can further comment on this matter. |
Beta Was this translation helpful? Give feedback.
-
|
As requested, posting full date, name, version, hash of my setup as seen in the bottom right corner of the UI. Not sure what you need my printer for... but you can have that too I guess.
Yes, of course. I am fully aware of the technology. Leveraging a browser's ability to render a fully featured user interface for local systems is a well established technique. Fluidd is very good at it too.
Well I may have to. As well as check diffs and merges/pulls. I absolutely was served a cookie by Fluidd on the above day, from the posted version. My eyesight is fair, and my memory is good. I have never seen cookies served by Fluidd before, so I would like to believe you, but I saw what I saw. Maybe something was compromised, maybe it was a glitch... IDK. Nevertheless, I totally received a warning.
I get Fluidd via installing Klipper. I get Klipper via KIAUH, which is an approved method found in the official Github repo's guide. The URL for this guide is In general, I am pretty familiar with *NIX systems, and their concept of software repos, hashes, signatures, and so on... so it would be pretty wild to SE me into grabbing an unofficial, potentially malicious fork. e.g. .org vs. .com. vs. .net That said.. come to think of it.... has anyone in the team considered that there has (sadly) been quite a few FOSS supply chain attacks recently? Given the timeline is it possible that one of the dependencies of the project had/has been compromised? Because, this is the only scenario I can envision where both of us are right.
The issue I was experiencing was already explained, but I guess I can try to say it more clearly. The local copy of Fluidd running live on my printer was flagged (a few weeks ago now) by my browser for serving me a cookie. It was not just a normal cookie, it was specifically a nefarious type of cookie; a cross-site cookie. Such cookies are designed to copy info from one site (Local instance of Fluidd) and drop it to another site upon visiting it (www.klipper3d.org). On the surface this looks plausibly excusable, since the external site is the official site for klipper. The problem is the IMPLICATION... Such a cookie is designed to copy data from one site and bring it to another... which under normal circumstances might be fine, maybe even desirable. The problem is the site that it is getting the data taken from has a high probability of intending to be cut off from the rest of the world... so pulling data from it and dumping it on the internet is called data exfiltration, a pretty big no-no even if it's to the mother site. If you do not have a kosher explanation for why Fluidd would try serving me such a cookie... then there may be some kind of problem. May be a good idea to start a poll of FF + Fluidd users, see how many other people happened to have this happen to them. ...Hopefully just me. Edit: Cleaned up some points. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello.
Today I noticed in my address bar next to my very local printer URL that there was a button calling out a Cross-site cookie for Klipper/Fluidd UI!!! I was pretty taken aback by this, being that my system is essentially off grid, and so should have no earthly business opening a channel that shares anything with an outside site, regardless if that site is sanctioned or not...
Critically, this is 10x more concerning in the light of recent highly aggressive and widely undesired "anti-innovation," ...oops, sorry... I meant, "anti-autonomy" ... err... One more time maybe? ... "Anti-3DP-gun" laws being passed.
Now... I love Klipper to death. I would love to keep using and recommending it. So I am trying really really hard to keep and open mind and justify this decision... but I'm finding it really hard to defend.
As far as I am aware these cookies are really only used for one purpose, to exfiltrate user data from one site to another.
For now, my browser protects me by allowing me to deny access to that cookie, so I'm am not concerned about the practical attack on my persons. However, the possibility that this could be leveraged in the future to send fingerprinted records of one's prints to an external site has absolutely raised a red flag with me.
Can someone please explain the technical need for this? With details? Show me how it needed to be this way and no other way?
If I want @klipper3d.org to have any info from my printer, I can copy the numerous log files and post them; I don't need a cookie doing it for me automatically plus "opt-out."
Beta Was this translation helpful? Give feedback.
All reactions