• Browser
  • Mail
  • News
  • Community
  • About
Register Login
HomeBlogsForumThemesContributeSocial

Vivaldi

  • Browser
  • Mail
  • News
  • Community
  • About

Navigation

    • Home
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. Desktop
    3. Desktop Feature Requests
    4. Option to disallow web sites from probing and communicating with devices on my LAN.

    Option to disallow web sites from probing and communicating with devices on my LAN.

    Desktop Feature Requests
    privacy and security
    5
    6
    472
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Octapoo
      last edited by

      I moved my computer to a new LAN and noticed a new interesting thing on YouTube: A "play on TV" button on the videos. ...and, sure enough, it works. I push it and the video plays on the Roku TV that's on this LAN.

      The problem is, I don't sign into a Google account, and the Roku TV isn't signed into one either, so how did YouTube know that there was a TV there to play the video on, and how did it tell the TV to play the video?

      I could only think of two possibilities:

      1. Youtube noticed that both connect via the same IP address and is making their web site serve a web page that is aware that it can also tell the YouTube app running on the Roku TV to play a video. This seemed unlikely since web sites usually don't assume that the same IP address means the same users, but I considered it because the alternative is:

      2. Vivaldi allows web sites to listen for devices on my LAN and communicate with them.

      To determine which it was, I used iptables rules in Linux to block Vivaldi's ability to talk to my LAN. Sure enough, the "play on TV" button vanished. Then I removed the rules and, sure enough, it came back. So I put the rules back to block this security problem for the time being.

      The fact that my web browser is allowing a web site I visit to communicate with devices on my LAN is rather disturbing. There's a firewall between my LAN and the rest of the internet, but apparently, to bypass it, all one needs to do is get me to open a web page, and then their web page can run code that does whatever it wants on my local LAN. Presumably it could then access intranet web sites, access my router's configuration page, access file shares, etc. Even if not "whatever it wants," even if the only thing it can do is determine if there's a Roku TV in the house, it shouldn't even be able to do that. When I connect to a web page, it shouldn't be able to determine anything about what's in my house, nor command anything in my house to do anything.

      I have no idea via what mechanism this happens. ChatGPT seems to think it might be WebRTC and it also thinks there should be an option to disable it, but there is no option and I don't even know that it's WebRTC. I tried looking up what WebRTC is and that's all described with buzzwords and no technical details, like I'm not supposed to know, I'm just supposed to be happy that it's good, whatever it is. I did find that Google created it, which probably means it's mostly intended to better allow Google to spy on people.

      I did some playing with tcpdump and find there's some communication going on between my PC and the Roku, ports 8060, 1900, and 8009 on the Roku's side, and a bunch of random 5-digits on the PC side. As best I can tell, 1900 is something called the "simple service discovery protocol" and most references to it on the internet are talking about UPnP for some reason, 8060 is something called "ECP" which I guess is Roku-specific, and 8009 is related to chromecast devices. So I guess it has nothing to do with WebRTC, whatever WebRTC may be, but it also doesn't seem like anything designed with any security in mind. It seems like web sites are just able to open, listen and connect to random sockets and communicate with any protocol they like on my LAN.

      Whatever is going on, it would be nice if there were an option to disable it, and it would be especially nice if it were disabled by default. People who want Google (and presumably any other web site) to be able to listen for and communicate with devices on their LAN should have to turn that on explicitly.

      TbGbe
      T
      mib2berlin
      M
      B
             3 Replies Last reply       Reply Quote 1
      • TbGbe
        T
        TbGbe @Octapoo
        last edited by

        @Octapoo said in Option to disallow web sites from probing and communicating with devices on my LAN.:

        it might be WebRTC and it also thinks there should be an option to disable it,

        See
        Settings/Privacy and Security - Tracking Prevention :- Broadcast IP for Best WebRTC Performance.

        Turn this option OFF to disable.
        Note: Some "privacy" extensions also have a "disable WebRTC" option - if you use one of these then it may force Vivaldi's option to always be ON so that the extension can then Disable it 🤨

        Win: Snapshot Vivaldi 7.4.3671.3

        1 Reply Last reply Reply Quote 1
        • mib2berlin
          M
          mib2berlin Soprano @Octapoo
          last edited by mib2berlin

          @Octapoo
          Hi, I guess the network experts here can explain in detail but any Chromecast device send broadcast messages in the LAN on UDP port 8009.
          Any software know the Chromecast protocol receive the broadcast and "see" the Chromecast device.
          You can send anything from a Chromium browser to any Chromecast device in the same LAN, video, images, the whole browser window.

          4bc82ece-8890-45a1-9ff5-ec20672041aa-image.png

          To my knowledge you cant disable this in the browser, only in a local firewall.
          I don't think this is a security issue, browser and device only send handshakes.
          The user decide to send data or not.

          Cheers, mib
          EDIT: Disable WebRTC does not disable Chromecast.

          Opensuse Tumbleweed x86_64 KDE 6.2 X11, Windows 11 Pro, Vivaldi latest
          HP Probook Intel(R) i5-8350U 16 GB, GPU UHD 620, SSD 256 GB
          Miniforum-B550 AMD Ryzen 7 4700G 16 GB, Radeon Graphics
          Redmi Note 14, HyperOS Android 14

          1 Reply Last reply Reply Quote 0
          • O
            Octapoo
            last edited by

            The WebRTC option doesn't prevent this.

            I haven't seen anything like the "cast tab" so maybe the Chromecast port is a red herring, or perhaps YouTube is attempting to find a Chromecast device in addition to finding the Roku, so that it could use it directly even without browser support.

            I note that Firefox doesn't show this "play on TV" button, so it's definitely possible for a web browser to prevent web sites from doing this.

            In fact I think Opera would complain if a web site so much as linked to an page on a LAN IP address, popping up a window telling you that the link went to your intranet and asking if you wished to follow it. I tested this with Vivaldi, Firefox and Pale Moon, but alas, this seems to not be a thing anymore, at least with those three. All three will follow the link from the internet web page to the page on a LAN address.

            The best any of them do is that Vivaldi refuses to load an image from a LAN server that is requested by a web page that came from the internet, while the other two happily request the image and include it in the page. So Vivaldi is better than the other two there, but course that needs to be extended to preventing the web page from the internet from accessing anything on the LAN, not just images.

            Hadden89
            H
                         1 Reply Last reply             Reply Quote 0
            • Hadden89
              H
              Hadden89 @Octapoo
              last edited by Hadden89

              @Octapoo Is seems the option was removed months ago (chromium moved cast to the core features)

              https://www.reddit.com/r/Chromecast/comments/15p02p6/comment/jvvas11/

              Vivaldi Stable+Snap | Patience Is The Key To Get The Vivaldi Spree | Unsupported Extensions | Github | w11 + Kde Manjaro + Android 13

              1 Reply Last reply Reply Quote 0
              • B
                bariton @Octapoo
                last edited by

                @Octapoo said in Option to disallow web sites from probing and communicating with devices on my LAN.:

                Whatever is going on, it would be nice if there were an option to disable it, and it would be especially nice if it were disabled by default. People who want Google (and presumably any other web site) to be able to listen for and communicate with devices on their LAN should have to turn that on explicitly.

                I strongly want to second this.

                1 Reply Last reply Reply Quote 0
                Loading More Posts
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes
                Reply
                • Reply as topic
                Log in to reply
                • 1 / 1
                • First post
                  Last post

                Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.

                Copyright © Vivaldi Technologies™ — All rights reserved. Privacy Policy | Code of conduct | Terms of use | Vivaldi Status