[epitactic]

> sshd on your shared university server

Another attack scenario applies if the shared server hosts a web server:

If you have a shell and can bind a port, listening for HTTP requests. Example: nc -vvl 8080

Trick a victim into visiting your malicious port: http://example.com:8080/

The attacker gets the victim's cookies for http://example.com:80/ (and https://example.com:443/, if the "secure" flag is not set). And all other ports.

This attack succeeds because "Cookies do not provide isolation by port" (RFC6265 Section 8.5).

What is the fix? If only the cookie spec allowed binding to specific ports...

But an alternate fix could be requiring web browsers to only connect to privileged ports. 80 and 443, or any port <1024, thwarting the unprivileged user from exfiltrating cookies.

Unfortunately this ship has sailed and web browsers now have to support unprivileged ports forever. A more practical defense, in practice, is to consider this scenario out of scope, and/or implement application-level authentication. I am with you, and would have advocated privileged ports to defend against these attacks (with http and ssh and other services), but am not optimistic it will gain any traction. The world has moved on, and even multi-user shell servers are becoming increasingly rare (as much as I use them - still a proud Super Dimension Fortress member)

[throwaway09223]

Well, that's a bug in the HTTP cookie spec. Regrettable, but as you note something that should have been foreseen. There's absolutely no excuse, as RFC6265 itself notes "cookies contain a number of security and privacy infelicities."

This bug is unrelated to port privileges