SameSite Cookies – What are they?

SameSite cookies is a new cookie attribute proposed by the folks over at Google and Mozilla to allow cookies to be declared as “same-site” and therefore shouldn’t be attached to cross site requests; essentially mitigating Cross Site Forgery Requests (CSFRs). This feature is currently present in Chrome 51 and Opera 39.

If you have a website that uses cookies then you can start supporting SameSite cookies straight away, by simply adding the SameSite attribute in the Set-Cookie field. Now the SameSite attribute requires a value (else it will be ignored) – the choices are: Lax or Strict.

You’d implement them by using either:

  • SameSite=Lax
  • SameSite=Strict

So what’s the difference between Lax and Strict?


Strict, as you will have probably guess is the more rigorous and robust option for protection, it would more than likely protect against all CSFR attacks, however this comes at a cost – the cookie is not sent with ANY type of request, including GET requests.

For example: If you click [GET request] on a tweet with a link to a Facebook album hosted on – and is using strict mode then the user wouldn’t be taken to the facebook page and already be logged into, even if they were already logged in.

This is because the browser will not be allowed to send cookies from to


Lax is the less severe of the two options, by only stopping cookies being sent cross domains if it’s using HTTP methods that we’d call unsafe such as DELETE or POST.

This means that in the strict example above the user would be logged into facebook, however if: A user submits a form [POST request] on a website where the target is then if is using lax mode then the request would not go through.

So in conclusion, strict mode provides much better security, though breaks some functionality. Linking to a resource on a website such as private facebook album wouldn’t work from external sites, even if you were logged into facebook and would have access to the album normally. In lax mode this scenario would work, however you would be better protected from cross site post or delete requests such as auto-posting an advert on your facebook wall, which I think we’d all be happier without.

Subresource integrity

A new feature in Google Chrome 45 is the ability to add meta data inline to <script> and <link rel=”stylesheet”> elements which will allow the browser to determine if the resource which has been downloaded is the same as the author intended.

This is done by adding integrity  metadata to the element inline such as:

<link rel=”stylesheet” href=”this_is_verified.css” integrity=”sha256-qvuZLpjL9TNV6yI1kNdGCPnSTrWM6Y0ILEzzyvA9hGY=”>

You would generate the base64 encoded version of the SHA256 hash with the following command:

cat this_is_verified.css| openssl dgst -sha256 -binary | openssl enc -base64 -A

If the hash doesn’t match the file and the integrity is compromised the browser will not load the resource.

This is currently in development for Firefox as well, though no news on Edge or Safari for implementation.

Using Smart DNS to access US Netflix

Whilst looking for a router I could set up as VPN gateway to the US to access the larger library of content they have available on Netflix, I landed upon I signed up for a full VPN account, with access to Smart DNS.

Smart DNS allows you resolve the American Netflix, by only changing your DNS records. This is useful as most devices that allow you to use Netflix, which may not necessarily have full VPN support will allow you to change your DNS records. Allowing you to keep your full speed from your ISP, and not having to tunnel through a VPN for a service that doesn’t require encryption.

To Quote OverPlay:

By enabling the SmartDNS service on your OverPlay account (visit the My Account area of our website, and choose the Server Details tab) and then performing the incredibly simple configuration change, you’ll instantly enable access to websites currently blocked at your office, school, or location. With no software to install, it even works on connected devices – iPads, AppleTVs, roku or BoxeeBox… the list is endless! Furthermore, if you make the simple configuration change on your local router, you’ll even benefit from the SmartDNS service on your entire network.

Please note that this service differs from our standard offering in a few ways. Firstly, this isn’t a VPN! It doesn’t encrypt traffic, everything still goes via your ISP. Don’t use this service if you need the extra safety provided by the VPN! Second, unlike the VPN service, the supported websites are whitelisted – obscure sites may not yet be supported, and others simply may not be compatible. Don’t worry though, if SmartDNS doesn’t unblock, you can fall back to our standard VPN service!

Visit OverPlay to have a look at the Smart DNS service.

A guide to avoid online censorship & staying safe.

In the past few years you will have seen more and more news about items like SOPA & the Digital Economy Act which were attempts to curb your privacy and rights online by using piracy, child pornography and terrorism as guises to try and push these through.

Even without these recently in the UK the courts have decided that 5 major ISPs must block the piratebay, and thus ending all piracy.

However, these blocks can be circumvented easily and securely using VPNs. There are other guides online to using proxies, however they are not as safe as using a private VPN service.

A VPN allows you to tunnel all your traffic from your device to a server elsewhere using SSL allowing you to totally hide your traffic from your ISP, and making it appear to any sites or services that use that you are coming from the server, rather than your specific device (and it’s associated IP address).

Step 1 – Signing up for a VPN service

I would suggest using a service like, there are 3 packages you can choose from depending on your requirements.

  • Silver provides 2mb download speed, useful for streaming iplayer & general internet usage.
  • Gold provides 6mb download speed, useful for HD streaming and big downloads
  • Premium provides unlimited download speed (50mb), useful for those heavy downloaders among you.

Step 2 – Using the service

YourPrivateVPN comes with a tool for windows and guides for Mac & Linux on how to use the VPN, however the main features are servers in 6 countries (UK, Germany, Switzerland, Netherlands, America & Canada) which allow you to seem to be coming from these countries and helps further anonymise your browsing.

You should use the VPN when doing any browsing that you feel would be looked unfavourable upon by your ISP or the government. By using the VPN none of your traffic is seen by your ISP and therefore can’t be blocked, shape or monitored.

So by using a VPN on Virgin Internet you can visit or any other site the British Government and court system decides isn’t in its interest.

When this type of stuff happens in China or Libya it’s called oppression.

Ideas when to use a VPN:

  • When using free internet in places like Starbucks, McDonalds, Airports
  • When using paid for internet in hotels or abroad and are unaware of who is looking at your browsing habits.

Step 3 – Be safe, be private.

That’s it really.


Rainbow Tables

So Rainbow Tables, the how in ‘How did you crack my password of xuher7863sl in less than a minute?’

The basics of Rainbow Tables are built upon the way that passwords are stored in most cases on servers on on your local computer. Passwords are stored as hashes which are one way operations meaning there is no mathmatically way to turn the gibberish looking string of letters and numbers that is displayed into the original text.

There are many types of hashing functions, with varying complexity and security. The most prevalent hash used on web servers hosting forums, CMS and games use MD5. Without going into the complexities of the hashing function a simple string such as ‘password’ becomes: 5f4dcc3b5aa765d61d8327deb882cf99 .

However no matter how many times you turn ‘password’ into an MD5 hash you will always get the same result, so this provides us an opportunity to create a database of passwords and their corresponding hash. So if you have an unsalted hash then you can simply do a lookup in a Rainbow Table and go ‘what password has the hash of: 5f4dcc3b5aa765d61d8327deb882cf99 ? and you will get the answer: password.

So how do you get around this issue of if someone obtains your hashes and starts to look them up one by one using one of the many hash lookup services (such as GDataOnline) ? Well prevention is cheaper than a cure, and the prevention is too salt your hashes with other random characters by prefix the password with (for example) hsdfh788 and then turning that into an MD5. This instant renders every Rainbow Table useless as they have only been created to compare against original text not hsdfh788password.