Cookies for everyone!

Chicago University has recently moved to two-factor authentication. While this is not itself objectionable, it is pretty annoying to have to have access my cell phone for push notifications just to be able to use MathSciNet. Fortunately, there is (at least) an option to “remember” a login for 30 days without having to use two-factor authentication. That is, it would be fortunate if this feature actually worked. Having just converted to Firefox from the interminably slow Safari, the uchicago website prevents me from remembering my log in for 30 days because “I don’t have cookies enabled.” Except I do have cookies enabled, just not from third parties. What does the crack security team at Chicago ITS suggest? Enable all third parties cookies from everyone! Firefox does have an option from allowing (third party) cookies from an approved list of websites, but, at this time, they couldn’t work out all the different websites that wanted force a cookie upon me when logging in.

 added: The final word from Chicago ITS:

Hello,

We have looked into other reasons as to why this functionality is the way it is and it seems to be a part of DUO authentication that cannot be changed. The best suggestion we [have is] using VPN when accessing university resources if you want it to remember you for 30 days. Otherwise, 3rd party cookies will have to be enabled to have this work without using VPN. Using the University VPN does have advantages if you are working in a public network.

Regards,

ITS Service Desk

====================

This entry was posted in Rant and tagged , , , . Bookmark the permalink.

14 Responses to Cookies for everyone!

  1. I highly recommend the Firefox extension NoScript. With the extension operating all sites are by default prevented from setting cookies or running scripts. You can then whitelist specific sites (e.g. *.uchicago.edu).

    Of course you sometimes just want to browse the web. For this I have a secondary firefox profile which is configured to permit all scripts and cookies, but to remember no history (so everything, including cookies, is erased when the program is closed).

    By default re-running firefox opens new tabs in the existing program rather than starting a new one. The command-line switch to ignore this is “–no-remote”; I have an alias which runs the following:

    firefox -no-remote -P extra

    where “extra” is the name of my secondary profile.

    • One problem is that I (and ITS) doesn’t know the names of the sites to whitelist — the point is that it’s not just *.uchicago.edu but other mysterious websites associated to the third party authentication process with unguessable urls. But thanks for the NoScript suggestion!

      • e.li says:

        I”m a little late to the party, but if you’re still dealing with this, there’s an extension along the lines of NoScript called uMatrix. You can use it to set rules for allowing/disallowing specific types of content (cookies, images, scripts, css, frames, XHRs), at the 1st/3rd party, domain, and subdomain levels; you can also subscribe to blocklists of various kinds to get a good amount of nasty/creepy domains blocked. Depending on my paranoia levels throughout the day, I even waffle between trusting all “not known-bad” 3rd parties to manually whitelisting every 3rd party domain.

        Here’s a screenshot of the 2FA page: https://i.imgur.com/o6bjbMK.png
        It looks like Duo has you query some random subdomain endpoint, but you can just whitelist cookies from *.duosecurity.com. I’ve never fiddled with FF’s content whitelists, but it should recognize that pattern. I just like uMatrix because it’s so easy to access and shows me all of the 3rd party requests so it’s easier to configure on the fly.

    • The w3m browser is a nice alternative to calling Firefox with a flag or noscript. There is a w3m-img extension.

      Various sites provide good domain lists. WebOfTrust has a browser extension, and googles internal domain authority score (used in rankings) can I believe be gotten at through a browser extension . Cloudflare does this in reverse, telling sites if *you* are untrustworthy. Digging through their stuff should uncover some more site quality estimators.

      One of the inputs to google’s domain authority score is to look at how many class B or higher blocks link to a site. I could get 50 tumblr subdomains to link to each other or buy a /24 CIDR and pump lots of FQDNs through it and make it look like I have a diverse in-link profile ——but this is harder to fake if you look further to the left in IP address space.

      HTH

  2. By the way, if the goal is to access MathSciNet, a better method is to create your own VPN by tunnelling through an SSH connection.

    My office machine runs a web proxy (squid) and an SSH server. My home computer and laptop are configured so that when SSH connects to my office machine, it forwards local port 3128 (the web proxy port) to the same port on the remote side. On those machines I have a separate (third) Firefox profile which is configured to connect to a web proxy at localhost:3128. This means that all web accesses made through that profile are routed through my office machine and therefore originate within UBC’s network. This allows me to use on-campus resources everywhere.

    • Didn’t mean to post yet — important caveat:

      If you run an SSH daemon on an internet-facing machine, you are creating a security risk for the network, and it behooves you to be rather paranoid about the setup. I advise:

      1. Using a serious password on your account, preferably using public-key authentication so no passwords are necessary.
      2. Prohibiting root ssh logins, and in fact only allowing your user to ssh in (see sshd_config)
      3. Using /etc/hosts.deny to ignore all incoming connections by default, and then in /etc/hosts.allow only allowing general connections from .uchicago.edu and from your home IP address, and restricting ssh connections as much as possible (when not travelling I usually don’t allow other connections).

  3. DS says:

    All that cookie-related clicking just a bit too much?

  4. Richard Séguin says:

    Try enabling third party cookies, accessing MathSciNet, and then disabling third party cookies immediately after. It may continue working. I’ve had to do this with Amazon and one or two other sites. Unfortunately, I don’t have institutional access to MathSciNet and can’t do that experiment for you. You might want to try Waterfox, which is a Firefox variant, and unlike Firefox, still allows the Tab Tree extension with which you can put tabs on the side and indicate the tab tree structure.

  5. TG says:

    Have you tried the AMS’ own mobile pairing (which lasts 90 days)? It’s what I use and it always works OK for me.

    • After a week of trying, the best Chicago ITS has come up with is installing a VPN client and connecting remotely. But using the VPN, I was able to successfully install the AMS mobile pairing, so yay, mathscinet in Luminy!

Leave a Reply

Your email address will not be published. Required fields are marked *