Google says that its Chrome browser will soon block internet websites from querying and interacting with devices and servers located inside local private networks, citing security reasons and past abuse from malware operations.
  • X_Cli@lemmy.ml
    7·
    3 years ago

    Being a network security specialist, I’ll ask these basic questions:

    • what’s the universal definition of a private network?
    • does this measure make sense in IPv6 within the global scope?
    • is it the responsibility of the browser to secure against DNS rebinding?

    My answers to these questions are:

    • there is no universal definition, so this approach is doomed by design
    • no
    • heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.
  • pinknoise@lemmy.ml
    4·
    3 years ago

    It’s about time, attackers can extract quite a bit of data about the local network via the browser. It’s pretty easy to identify appliances and home routers given someone stays on a site long enough.

  • AgreeableLandscape@lemmy.ml
    4·
    3 years ago

    There is pretty much no legitimate reason that a site from the internet should access the local network.

    The only exception I’ve seen to this is Synology having a NAS finder webapp where it searches your local network for a Synology device and tells you the IP address. But that’s a tiny niche use case and there are other ways of finding it that doesn’t involve a website (the device broadcasts its identity and has a hostname FFS). Any open source IP scanner will find it instantly, or in many networks you can just type in the hostname into your browser like a domain.