Local Port Scanning
-
Does Vivaldi have a detection or prevention against websites sites scanning your network?
Brave aims to automatically block website port scanning...
https://arstechnica.com/security/2023/06/brave-will-soon-control-which-sites-can-access-your-local-network-resources/Can Vivadli alert you if a site tries?
-
My guess is that they are using this Chromium feature which is still a Work in Progress https://developer.chrome.com/blog/private-network-access-update/ , although they may have added some UI and prefs on top (no idea)
Controlled by chrome://flags/#block-insecure-private-network-requests
And as far either of these being "new": I implemented a complete block for access to more local network resources from more remote/public websites in Opera Presto (LAN could not access localhost, WAN could not access LAN or localhost. exceptions could be added), and which was available until Opera 12 (not in Opera 14+ which is based omn Chromium)
The new thing is that there is new functionality that sends a preflight request (using tokens) asking for permission to send the actual request from a specific server.
-
Ppafflick moved this topic from Vivaldi for Windows on -
Interesting. I'll research these flags. Any suggestions? Do you know this project? https://github.com/ACK-J/Port_Authority It seems like its only available on Firefox for the same reason you were able to implement a block with Opera 12. He's got a good block list to import to uBlock or pfBlock.
-
Hi, interesting question and I think the issue of Websockets and Ebay was up before but the topic is gone for some reason. There's a feature request but it's got one vote and that's from me
Can Vivadli alert you if a site tries?
There is no such feature in Vivaldi at the moment and I have no idea if anything is planned about what to do with Websockets, specifically to localhost.
Running a good adblocker will protect you against most of this - as the scripts that do Websocket connections will be blocked from even running. But blocklists will never block every site out there of course. Blocking JS would though, but that's not something a lot of users would want to do.
Vivaldi supports standard Adblock rules, and with a custom blocklist file added, Vivaldi will block all Websocket requests with a simple rule:
$websocketI guess it could be changed to something blocking just requests to localhost so as to not block everything using WSS out there.
127.0.0.1^$websocket
localhost^$websocket
(no idea if both are needed here, but just to be sure...) -
<Rantmode on>Yeah, Websockets are Evil
and whoever thought it was a good idea to allow client JS to make connections on your local network should barred from participating in any web standard works in the future.Oh look who the author is - someone from Google - it makes sense now...
" ..running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code"
Well my host machine never opted in to being scanned by Ebay or any J. Random Hacker out there.
What do we really need Websockets for anyway? Full-duplex connections, doing what exactly? Why does everyone seem to invent new protocols for the web when HTTP has worked perfectly well for 30 years? I'm sure the JS kiddies love it.
Brave's idea is good, but do we really need our browser to give us even more alerts about the permissions websites want? I feel users are constantly clicking Allow on notifications dialogs because they are tired of all these constant nags and don't care anymore. They've been told to always click Yes on dialogs anyway over the years of PC use, otherwise things might "not work".
I think browsers should just block stuff like this by default, including web notifications (my personal hate subject) and not nag the user about it at all. Let the users who are technical enough to understand how it works decide if they want it on - the rest can leave it as is and no harm done.
<Rantmode off>๐ปVolunteer helper ยท Forum moderator ยท Sopranos tester ๐ ๏ธTroubleshooting ๐Report a bug ๐Markdown help
๐ฆ"With a rubber duck, one's never alone" -Douglas Adams๐ฆ -
@Pathduck Websockets are not evil. If I wanted to make any kind of cloud connected web app, using a socket would be easier than constantly having to make new http connections for every packet. This forum software we're using right now makes websocket connections.
But assuming default on access to localhost or doing port scanning? Yes, that's evil and serves no purpose.
๐ป Windows 10 64-bit Sopranos Builds โข en-GB โข ๐ณ vote for features โข ๐ต๏ธโโ๏ธ Code of Conduct โข ๐ Report bugs
-
@LonM Sure - I just strongly dislike any new tech introduced for marginal gains and opening up a swathe of security concerns.
One thing is being able to connect to localhost. Another is being able to connect to local network addresses. These things should be blocked by default, and let those developers and enterprises who need this internally enable it by some flag or GPO.
The CableHaunt vulnerability was facilitated by the browser being able to connect to the local router on a port which was only open on the internal network. Easy for attackers to do a scan and find vulnerable devices and services for further attack - and especially now with IoT and people having lots of potentially vulnerable services on their network they're not even aware of.
