[HN Gopher] Why Is This Website Port Scanning Me?
___________________________________________________________________
Why Is This Website Port Scanning Me?
Author : BCharlie
Score : 919 points
Date : 2020-05-20 12:39 UTC (10 hours ago)
(HTM) web link (nullsweep.com)
(TXT) w3m dump (nullsweep.com)
| jamesfisher wrote:
| Potentially you can do more than just port scan; it's possible to
| use/access the servers that you have running on your local
| machine if they're left open. See my post about this:
| https://jameshfisher.com/2019/05/26/i-can-see-your-local-web...
| souterrain wrote:
| The greater issue is that browsers are allowing code executing
| from the public Internet _scope_ (scope meaning security domain)
| network access to the localhost scope or the Intranet scope
| (RFC1918 addresses.)
|
| If anything, this should require very explicit permission
| granting from the user. I'd prefer it be something more like an
| undocumented toggle accessible solely to developer types.
| api wrote:
| Yeah, that's the best solution. It should be like microphone or
| camera access. It should say "this web site is attempting to
| access a resource on your local system / network."
|
| I don't think you need to overdo it in terms of making the
| warning red, etc. Just a popup will really discourage people
| from trying to use this for fingerprinting.
|
| BTW the site says:
|
| "Port scanning is malicious." I don't agree. There are many
| many things that can look like a port scan but are not
| malicious, most notably NAT traversal attempts by WebRTC,
| games, chat apps, and so on.
| fossuser wrote:
| Yeah - if anything this post is evidence of a use case that
| _isn 't_ malicious.
|
| While it can be used to get information to bad things, it
| itself can be used for good things too.
| grendelt wrote:
| Right. "it is clearly malicious behavior and may fall on the
| wrong side of the law."
|
| It's _not_ against the law. It might be _shady_ but it 's not
| illegal. When I'm teaching cyber intro classes, I let folks
| know portscanning is NOT illegal but shady. It's like going
| to a business after hours. It's not illegal to rattle doors
| and windows to see if they're locked. The police might have a
| different take on it, but it's not illegal.
| brundolf wrote:
| Yes, it's very similar to CORS. They just need to block all
| localhost requests from non-localhost pages. Maybe carve out an
| exception for when the dev tools are open.
| marcojrfurtado wrote:
| There are legitimate reasons for port scanning, but I'm not
| sure most websites out there are using it for noble purposes. I
| guess browsers could allow it based on explicit permission from
| the user, just like it's already done for microphone and
| camera.
| pantalaimon wrote:
| Yea this is very surprising. I run a file server in my local
| network. There is no access control on it because it's behind
| my router's firewall, but everyone in the LAN can access it.
|
| I find it _very_ surprising that now any random website can
| access it with no oversight. Why worry about spectre and
| meltdown when such blatant backdoors are implemented in
| browsers?!
| souterrain wrote:
| Port scanning from a user's browser is effectively sneaking
| behind a user's firewall. The only legitimate reasons I can
| envision are security research, and this, to me, is such a
| small edge case that I'm not sure such access is ever
| warranted.
|
| I'd be all for a user notification that says "fnord.com wants
| to access 192.168.0.10 on tcp/443, which seems to be a web
| server on your home/work network. Are you sure you want to
| allow this?" I'd want to see this for _each_ new access
| request, such that port scanning would not be a use case that
| was supported.
|
| Sure, have an about:config toggle to shut this off, with
| appropriate warnings.
| kchr wrote:
| This. It could even have a "remember my choice for this
| domain/subdomain".
| asudosandwich wrote:
| >> There are legitimate reasons for port scanning
|
| Such as?
| jimmaswell wrote:
| IRC servers detect open proxies that way.
| jorams wrote:
| IRC servers don't run in a browser. Instead they scan
| ports from the outside, which is not a problem. Anything
| they find is open to the entire internet anyway.
| bjt2n3904 wrote:
| You run a network, and want to run a security audit. You
| need to know what devices are operating on it, and what
| services they are offering.
|
| I don't get upset if someone opens and closes a socket to
| my VPS to see if something's there. My VPS is exposed to
| the internet. If a socket opens, it should be secure
| anyways. There's the chance nginx has an unknown zero day,
| but if I wanted to avoid that, I'd firewall it.
|
| Things are a little less nice if you open a socket and
| start sending data to see what's there, assuming the server
| doesn't respond with a banner.
| pdonis wrote:
| _> You run a network_
|
| That might be a reason for you to port scan your network.
|
| It is not a reason for your website to port scan _my_
| network. Especially since your website running inside my
| browser is inside my firewall.
|
| _> and want to run a security audit_
|
| Then you use tools designed to run security audits. You
| don't open a huge security hole in everybody's browser
| just so you can use a browser to run a security audit.
| jschwartzi wrote:
| What about port scanning your service before you've
| secured it during development? At some point we have to
| be able to trust the network we're on. It's ludicrous to
| expect everything to be configured correctly and securely
| right from the start especially if you're developing the
| thing being scanned while it's being scanned. I'd much
| rather websites not be able to scan my home or office
| network than have to treat that network like I treat the
| Internet.
| cgranier wrote:
| But that's a very different use case than having a
| website you visit portscan your computer (which I believe
| is what the user above you is referring to.
|
| There's really no legitimate reason for eBay, or any
| other website, to portscan your computer. There's nothing
| there needed for browsing their website.
| ohazi wrote:
| > I don't get upset if someone opens and closes a socket
| to my VPS to see if something's there. My VPS is exposed
| to the internet.
|
| That's not what's happening here.
|
| My laptop is _not_ exposed to the public internet because
| it 's behind a firewall / NAT. This is like going to my
| house, plugging a device into an Ethernet port on my
| router, and scanning my internal network _from inside_ my
| network.
|
| Except instead of them planting a device, all they have
| to do is get you to navigate to their webpage. They're
| getting _your laptop_ to do the port scanning for them,
| and in so doing, they get access to your internal
| network. The problem isn 't port scanning, the problem is
| NAT busting.
| zrobotics wrote:
| I'm curious, what would be a good reason to do this? I'm not
| creative enough to think of anything this enables a site to
| do that isn't malicious. If I'm running a service on
| localhost, and that service needs to communicate with the
| site I'm browsing, surely I could just direct that service to
| communicate with the site itself.
|
| For instance, if I'm running a local chat application and
| need it to communicate with the web version, why does the
| website need to be able to port scan to accomplish this? I
| can think of other ways to accomplish this that are a lot
| more secure.
| AnIdiotOnTheNet wrote:
| Synology uses it to find your unconfigured device on the
| network for first time setup.
| tlb wrote:
| Ubiquiti routers have a fairly magical browser SPA that can
| run on their domain and talk to local routers. It involves
| webrtc connections to local addresses.
|
| But I think if same-origin were enforced more strictly,
| they could have found another way.
| Macha wrote:
| Huh, I never looked but always assumed this was proxying
| through the controller.
| tlb wrote:
| It does this most of the time, either through the cloud
| or direct to the controller. But during setup of the
| first device on a network it does something direct from
| the browser to get it connected to the cloud.
| SmallPeePeeMan wrote:
| How is this different than the admin page for any other
| router brand? (SPA does not seem relevant to this
| discussion)
| efokschaner wrote:
| This might be banks trying to detect compromised users.
| Many "tech support" scams aim to get remote desktop access
| to users PC's and then have them log in to their bank while
| scammers are connected. I could see how banks looking for
| remote access software could be a useful heuristic in
| fighting this problem.
| codezero wrote:
| Here's my hypothesis: it's to detect bots.
|
| Your bot is running a redis server locally, it allows local
| connections, because it's just a bot, boom.
|
| Taking it a bit further, if we have really smart people
| involved: the timing of the attempted
| connections/rejections tell you something about the system
| that you can use to detect bots/scrapers.
|
| Another example of this being used in the past is to scan
| for chrome extensions that scrape site content as well. I
| believe LinkedIn might have gotten hit hard for trying
| something similar but they were using extension URLs not
| localhost. Some extensions do spin up localhost services
| though.
| chrisshroba wrote:
| I'm not defending this use case, but one example I can
| think of is that Spotify runs a local server so that
| websites you access can control it, e.g. if you are on
| Billboard looking at top music charts, clicking on a song
| could start the song in Spotify, and even embed a player in
| the web browser, without you needing to be signed into
| Spotify in your browser.
|
| Here's an interesting tangential article about how they get
| around obstacles with SSL certs for localhost:
| https://letsencrypt.org/docs/certificates-for-localhost/
| alex_duf wrote:
| Agreed, or at least disabling localhost and 192.168.0.1 and
| whatever that is in IPV6
| pantalaimon wrote:
| You will usually have a public address with IPv6
| marcosdumay wrote:
| > to the localhost scope or the Intranet scope
|
| That's too little. All access from a different origin should be
| blocked by default, not only to local nets.
| oplav wrote:
| That's what CORS is for, but it appears that there is no CORS
| for WebSockets.
| souterrain wrote:
| CORS is not in the hands of the user. I don't want a CORS
| policy authorizing access to my intranet or localhost.
| oplav wrote:
| If the user decides to run a service on their intranet or
| localhost with a wide open CORS policy, isn't that their
| choice?
|
| Forgoing CORS and making all inter domain requests user
| opt-in would make the web experience a lot worse, IMO.
| Making all intranet or localhost requests user opt-in
| seems less disruptive.
| souterrain wrote:
| However, TCP sockets can't publish CORS policies.
|
| In the case of scanning, a CORS denial can still reveal
| information about the user's internal network, as a CORS
| denial is a different result than a network timeout or a
| TCP RST.
| kevingadd wrote:
| CORS is set by the target, so localhost CORS policy is
| _directly_ in the hands of the user. intranet CORS policy
| is set by whoever operates that intranet service
| souterrain wrote:
| You're right; a bit of a brain fail there for me.
|
| Still, doesn't mitigate attacks against non-HTTP
| speakers.
| johncolanduoni wrote:
| It does in the sense that you won't be able to control
| the websockets payload, so the target server generally
| won't respond. The problem here is that the information
| leak is happening prior to any data being sent over TCP,
| so the fact that the server will drop the connection as
| invalid doesn't help.
| xg15 wrote:
| WS does have its own way of cross-domain opt-in. I think it
| users slightly different headers than CORS for historical
| reasons but effective does the same.
|
| That a script is able to gather information about an origin
| that did not it in seems like a serious bug to me.
| johncolanduoni wrote:
| This is because websockets were created after the same
| origin policy, so they have always sent the origin header
| that allows the server to filter connections. CORS was only
| needed because the browsers were adding the same origin
| policy to HTTP requests that had historically never had it,
| so they needed some set of rules (and overrides for them)
| that didn't break existing websites.
| souterrain wrote:
| I stand corrected. I think yours is the correct approach.
|
| How shall origin be defined? I can envision the likes of
| Microsoft which have many, many second-level domains making
| calls between them.
|
| We can't allow the site itself to grant access. How would
| this be managed, other than "please stop and think what a
| domain name is supposed to be before spraying your product
| across twelve of them?"
| derefr wrote:
| To be clear, evil.com can define sub.evil.com to resolve to
| 127.0.0.1. You basically can't look at domains to mean
| anything much. You have to look at IP addresses.
|
| (Which is in turn made harder by IPv6 public addressing,
| where you can't just block the private IP range because you
| might not be behind a NAT in the first place, instead
| _only_ behind a firewall. So your address A::B, can route
| to your Intranet peer A::C, which isn't public-routable,
| but _is_ a public address. But there's nothing, other than
| the firewall, that _says_ that that's not a public address.
| It's a hard problem!)
| tylerhou wrote:
| To add on to your point, _even if_ you allow evil.com to
| only access evil.com and not any subdomains, your browser
| is still vulnerable because of short TTLs on DNS
| resolution.
|
| evil.com can set a short DNS TTL, and after you access
| it, it can rebind its address to 127.0.0.1. Then
| subsequent requests to evil.com go to localhost (e.g.
| fetch("evil.com", ...) on evil.com will go to 127.0.0.1
| if the DNS rebound successfully).
|
| Caching a website's IP on first use doesn't help, either,
| because it breaks long sessions on websites that use DNS
| rebinding for legitimate purposes (load balancing,
| fallover).
|
| The only real way to fix this is for the local webserver
| to check the Host header on the HTTP request... or look
| at IP addresses. But building a global registry of IP
| addresses is hard, so we're stuck with trusting
| application developers (and malware writers) who run
| servers on localhost to use good security practices.
| khc wrote:
| This would prevent most users from visiting that site
| (since most of the time it will resolve to 127.0.0.1)
| roywiggins wrote:
| Evil.com could be set to resolve normally but redirect
| you to <plausible random word>.evil.com, which resolves
| normally once and then performs the attack, leaving
| evil.com able to keep serving new visitors.
| johncolanduoni wrote:
| We already have a notion of origin that is used for most of
| the browser security policies (exact match of domain,
| protocol, port). Websockets allow servers to enforce this
| policy by sending an Origin header, but unfortunately
| observing the error messages/timing still allows you to
| determine if the port is open at the transport layer even
| if you can't establish a connection. Since websockets
| routinely need to connect to different origins (they can't
| be routed exactly like normal requests, though many
| CDNs/reverse proxies can handle both), browsers would need
| to remove the information leak themselves by normalizing
| error messages and timing across failures.
| marcosdumay wrote:
| Granting access down seems ok to me. To make it really
| generic, you would need a way to query the upper domain if
| accessing a sibling is ok.
|
| The process is different enough from cookies to warrant
| another large discussion about how to do it, with plenty of
| trial and errors. But the stakes are much lower, as in the
| worst case the user will get a dialog, instead of a site
| being broken.
| n0tam3m3 wrote:
| The company may be interested in whether they want to grant
| access to the user to access to their systems. Does the user
| shoulder any responsibility?
| 3fe9a03ccd14ca5 wrote:
| Consent.
| imglorp wrote:
| No, absolutely not.
|
| It shouldn't matter what malware is on a client device as
| long as the client has authenticated; the server/company/ebay
| should be protecting their API from abuse at the API layer,
| not the client layer.
| souterrain wrote:
| I think what you're saying is the user might be an employee
| on some internal trusted company network. The employer should
| have control of that browser (and entire endpoint), otherwise
| the network should likely not be considered trusted. So, in
| this case, no, the user shouldn't have the ability to
| authorize this; the administrator of that browser should.
|
| Know your network.
| bosswipe wrote:
| Javascript was a mistake, seriously. The benefit-cost ratio from
| the user's point of view is disastrous. I'd rather slog through
| less fancy data entry forms than suffer endless tracking, privacy
| and security attacks.
| maayank wrote:
| If anyone thinks of implementing this, don't forget to guard
| against reflection attacks[1]
|
| EDIT: revisiting my comment (and the wikipedia article linked), a
| reflection or amplification attack in this context is sending
| traffic and generating (perhaps much more) traffic from a
| different source than yours as part of an attack. For example,
| you could spoof the IP address of the HTTP packets and cause the
| server to port scan another machine -> little traffic (HTTP
| request) causing a lot of traffic (port scanning). As part of a
| DDOS attack, a botnet for example could use this to amplify their
| attack and masquerade the source.
|
| [1] https://en.wikipedia.org/wiki/Denial-of-
| service_attack#Refle...
| gfxgirl wrote:
| This is bad and should be blocked IMO, at least by default, but
| can a site do anything other than find out which ports respond to
| a websocket request? AFAIK they can't send arbitrary network
| packets. The websocket will only open if the port they are trying
| to talk to speaks websocket back. This is mentioned in the
| article.
|
| I'm not saying that's okay. I still don't want them scanning
| ports on my machine. There might be some services that offer a
| websocket connection like Plex for example, or the Kinect driver,
| or Leap Motion. I also don't want them cataloguing ports that are
| open.
| foobarplopp27 wrote:
| This guy Just has it wrong when he calls port scanning an
| adversarial technique. It's Just a way to discover Services. You
| can then use the result to do malicious things but it's not like
| the only or even main purpose. I humbly refer to this:
| https://koeln.ccc.de/ablage/portscan-policy.xml (Google translate
| can help with the german)
| segfaultbuserr wrote:
| It's why Tor Browser restricts access to localhost by default.
| This problem was already predicted and considered by Tor
| developers back in 2014, see ticket #10419 - _Can requests to
| 127.0.0.1 be used to fingerprint the browser_ [0] and has been
| fixed since then. Scanning localhost is a dangerous way to
| fingerprint the user if there are local open ports.
|
| If you are not using Tor Browser and want to fix the security
| hole without disabling WebSocket completely, running the web
| browser in a separate network namespace is a workaround - you get
| a loopback interface which is independent from the main
| namespace, and you create a NAT interface within the network
| namespace to allow outgoing traffic. It's also a possibility for
| a website to probe other machines, such as the setting page on
| your router. For better protection, you should block all the
| local addresses defined by RFC1918 via netfilter/iptables as
| well.
|
| For developers who needs less restrictive blocking for debugging,
| you can run multiple Firefox processes in different profiles (
| _firefox -P --new-instance_ ), each running in a different
| network namespace - to make it easy, you can code everything in a
| shell script and create desktop icons for them. I normally use an
| ad-blocked and 3rd-party-cookies-blocked profile for web
| browsing, but a naked Firefox profile for development.
|
| [0] https://trac.torproject.org/projects/tor/ticket/10419
| AdmiralAsshat wrote:
| I feel like uMatrix covers this as well. I've sometimes found
| myself redirected to some shady Chinese site and seen blocked
| attempts to localhost or 127.0.0.1 show up in the dashboard.
| Thriptic wrote:
| I always wondered what was going on when I saw localhost show
| up in the connections listing for a site in uMatrix, TIL.
| gsnedders wrote:
| > It's why Tor Browser restricts access to localhost by
| default. This problem was already predicted and considered by
| Tor developers back in 2014, see ticket #10419
|
| Sorry to invoke the meme, but Opera did it first[0], in Opera
| 9.50 (2008). I don't have a good reference to hand, but [1] is
| a developer complaining about this. [Edit: [2] covers the
| feature in some detail.]
|
| Opera also blocked access to private IP addresses (so there
| were three tiers: public IPs, private IPs, localhost; higher
| tiers could communicate with lower ones, so the block was only
| unidirectional).
|
| IE10+/EdgeHTML-based-Edge (and I know there was some talk about
| blocking this in Chromium-based Edge) also blocks it, so that
| too is prior art to the Tor change.
|
| [0]: https://w3cmemes.tumblr.com/post/62942106027/if-you-can-
| thin...
|
| [1]: https://stackoverflow.com/questions/1836215/access-
| to-127-0-...
|
| [2]:
| https://web.archive.org/web/20140302021701/http://my.opera.c...
| gsnedders wrote:
| To add more about why current browsers don't do this:
|
| One is clearly that you need to communicate the requesting IP
| deep enough into the network stack to the point where you get
| the DNS response (if there is one), which means there's a
| fair bit of work to ensure this is done everywhere;
|
| Another is it's known to break corporate websites
| (https://internal.bigcorp.com/ on a public IP expecting to be
| able to access private IPs on their intranet), and smaller
| browsers are reluctant to lose corporate users by changing
| long-standing behaviour;
|
| Then there's the WebRTC question: if two users on the same
| local network start a WebRTC call, do we want all this
| traffic to go to via first point where the public IP is
| known? For the majority of users the answer is no. And as
| long as that's possible, there's a (very limited) means of
| local communication. (But if it's limited to only things that
| respond to the WebRTC handshake, we're already in a much
| better place!)
| vbezhenar wrote:
| In Kazakhstan we have e-government website. This website
| allows users to use crypto-tokens to access government
| services (every citizen can get a digital certificate
| representing his identity).
|
| This website used to run Java applet. This applet was
| signed and it could access restricted APIs to access USB
| device. So website talked to applet and applet talked to
| USB device to sign data.
|
| After major web browsers disabled Java applets, they
| implemented another approach. Now user must install a
| software which runs a web server on 127.0.0.1. This
| webserver listens on a specific port and uses web socket to
| communicate.
|
| So government website now uses JavaScript to connect to
| 127.0.0.1:12345 using websocket. And then it uses that
| connection to interact with USB device.
|
| So an ability for external website to connect to 127.0.0.1
| actually is essential for this use-case.
|
| My guess is that there are plenty of other websites which
| use local web server to interact with locally installed
| software. I know at least one another such a website:
| Blizzard website. It runs web server in its game launcher
| and website can communicate with it.
|
| PS also they have to install custom trusted certificate
| because browser requires wss from https and there's no easy
| way to get a legitimate certificate for that kind of use.
| geofft wrote:
| Since these use cases already require having software
| installed on your machine, it seems fine and safer to use
| a browser extension with native messaging for this:
|
| https://developer.chrome.com/extensions/nativeMessaging
|
| https://wiki.mozilla.org/WebExtensions/Native_Messaging
|
| That bypasses the entire certificate question and lets
| the website know it's communicating with exactly this app
| and not something happening to listen on the port (and
| vice versa, too).
|
| ... Or, depending on what you're doing, just use a real
| desktop app, perhaps with an embedded browser.
| loeg wrote:
| Outside of DNS, the other reasons are about local networks,
| not 127.0/8. There's no good reason to permit port-scanning
| 127.0/8.
| nucleardog wrote:
| So remove "port scanning" since the only difference
| between port scanning and "legitimate" connection
| attempts is rate.
|
| Should websockets be able to connect to the local
| machine?
|
| In some cases that could be useful (even if something the
| kinds of people visiting this site might be uncomfortable
| with). E.g., a local daemon that listens for a websocket
| connection and a public web page that's used for managing
| it.
|
| I don't think it was implemented this way, but think
| something like Battlefield 3's matchmaking: the user
| visits the online service and finds a match to join, and
| when they want to join it passes the relevant information
| to the game via websocket.
|
| I imagine stuff like this has been implemented in at
| least a couple cases that you'd break just wholesale
| blocking connections to 127/8.
| gsnedders wrote:
| Still need to know where the top-level page is loaded
| from, though: you do want to allow requests from 127/8 to
| "localhost".
| Kipters wrote:
| UWP apps block requests to localhost too for the same reason
| hanniabu wrote:
| > If you are not using Tor Browser and want to fix the security
| hole without disabling WebSocket completely, running the web
| browser in a separate network namespace is a workaround - you
| get a loopback interface which is independent from the main
| namespace, and you create a NAT interface within the network
| namespace to allow outgoing traffic. It's also a possibility
| for a website to probe other machines, such as the setting page
| on your router. For better protection, you should block all the
| local addresses defined by RFC1918 via netfilter/iptables as
| well.
|
| As someone less tech savvy but still concerned, are there any
| guides available on how to do this?
| anderspitman wrote:
| You can look into tools like firejail to make this easier.
| cameronperot wrote:
| +1 for firejail [1]. There's a guide on how to do this for
| firefox [2] (see the network setup section), but this can
| be used with other applications as well.
|
| [1] https://firejail.wordpress.com/
|
| [2] https://firejail.wordpress.com/documentation-2/firefox-
| guide...
| anderspitman wrote:
| Note that the further I went down the sandboxing rabbit-
| hole, the more questions it raised about whether it's
| more or actually less secure. The main problem is that in
| order to work, these tools often use a setuid binary,
| which actually has more permissions than most users. So
| in theory if a sandboxed app finds an exploit in the
| sandboxing program (like firejail) that you're running
| inside, you could actually be worse off than it breaking
| out of whatever program you're sandboxing in the first
| place.
|
| I think in this case though where you're more concerned
| about the very real problem of websites accessing
| localhost, it probably outweighs the maybe of a firejail
| exploit.
| Thriptic wrote:
| It's also possible to run a web browser in a docker
| container which can be interacted with on the host OS.
| This avoids the permissions issues with solutions like
| firejail:
|
| https://blog.jessfraz.com/post/docker-containers-on-the-
| desk...
| willglynn wrote:
| `docker` implies access to the Docker daemon, which is
| not an improvement over the setuid binaries anderspitman
| found distasteful.
|
| https://docs.docker.com/engine/security/security/#docker-
| dae...
| [deleted]
| lxdquestion wrote:
| Genuine question, would LXD be any better? I'm not an
| expert in containerization but I find it really
| interesting.
|
| There are some blogs that talk about how to do this:
| https://blog.simos.info/how-to-easily-run-graphics-
| accelerat...
| cameronperot wrote:
| Interesting point, I hadn't made it that far down the
| rabbit hole. I agree that it's not a complete solution,
| and possible risks of exploiting the sandbox itself
| should be taken into account on a case-by-case basis.
| xg15 wrote:
| To my knowledge, a lot of effort has been put into the design of
| CORS (and related APIs) to specifically prevent misuse like that.
| A well-behaved Websocket implementation should not give the
| calling script any indication _why_ a connection failed.
|
| I know timing oracles are difficult to avoid in many cases - but
| the technique shown here seems to actually exploit different
| kinds of exceptions being thrown by the browser.
|
| This seems like a straight-up bug and pretty serious security
| vulnerability to me.
| brundolf wrote:
| I don't follow what this has to do with websockets specifically;
| they just go over HTTP, so why couldn't you do this with a
| regular HTTP request?
|
| Either way it seems easy to mitigate at the browser level: block
| all requests to localhost that don't originate from a page served
| on localhost. It's not that different from the CORS policy.
| Jonnax wrote:
| Browsers should be blocking this by default.
|
| "This website is trying to access services on your local PC, do
| you want to allow?"
|
| Or at least as blockers should have a rule for it.
| crazygringo wrote:
| First of all, fraud detection seems like a legitimate use case
| here. And WebSockets has many valid uses.
|
| _HOWEVER_ -- how the hell is localhost port scanning allowed to
| happen _without my permission_?!
|
| This feels no different from a website trying to check the
| existence of named directories on my file system or something.
|
| Does WebSockets not require permission to function at all, or
| shouldn't it be limited to some kind of CORS-type policy or
| _something_ to connect without a permissions dialog? Or _even_ if
| it 's allowed to port scan the entire public internet, at least
| block your local machine and network without explicit permission?
| ryan-allen wrote:
| If you find a way to prevent this in Chrome/Edge please let me
| know.
|
| Edit: https://defuse.ca/in-browser-port-scanning.htm
|
| There doesn't seem to be a way to access anything locally, just
| test for open ports. I use SSH tunneling a lot and was having a
| minor freak out.
| thisisnot wrote:
| in firefox it seems you can disable websocket with
| network.websocket.max-connections = 0
|
| Firefox and the illusion of privacy
|
| (1)https://www.remembertheusers.com/2018/03/0455-firefox-and-
| th...
| brainzap wrote:
| This is why the websocket implementation does not have meaningful
| error codes, so people can not abuse it. But they still do.
| anderspitman wrote:
| Curious what HN thinks about this hypothetical: Imagine you have
| a web app designed to talk to a specific backend server API. It's
| also common for users to run instances of the server on their
| local machine. How would you feel about the app checking a
| (single) well-known port to see if there's a local server
| running, and prompting the user: "we detected you're running a
| local copy of the server, do you want to connect to it?"
|
| This doesn't seem to be done very often, and the public cases
| usually seem to be pretty ugly (Zoom). But I could see it being
| useful. Imagine for example an app for browsing S3 directories,
| that could also detect if you're running a minio server and allow
| you to connect to it, and transfer data back and forth between
| your different backends.
| CobrastanJorji wrote:
| I don't think the case that you're describing is unethical, but
| I also don't see it as beneficial enough to outweigh the
| security risks of it being possible.
| kgersen wrote:
| port scanning is fine and should not be illegal. It's just
| "looking" at a house to see if there is a door and what type of
| key (protocol) it uses.
|
| Trying to open a connection on the other hand it's like trying to
| open the door. That should be considered as a violation.
| pfundstein wrote:
| Most port scanning works by 'Trying to open a connection'. I'm
| not sure where you're saying the line is, but it's very fuzzy.
| woadwarrior01 wrote:
| Port scanning from an external host is fine and dandy, but
| doing it on localhost from the user's browser crosses the line,
| IMO.
| crankylinuxuser wrote:
| Then why did your "user agent" permit it? Seems rather anti-
| user.
| megous wrote:
| I use uMatrix, and only thanks to that I realized my bank
| is doing this too a long time ago.
| kchr wrote:
| Regardless, your user agent still tries to.
| corentin88 wrote:
| Imagine you start to look at houses in your neighborhood << to
| see if there is a door and what type of key it uses >>.
|
| That sounds pretty suspicious to me. At least you need the
| consent of the house's owner.
| kchr wrote:
| Suspicious != Illegal.
| pbhjpbhj wrote:
| Do you need consent of the owner?
|
| You might be doing a legitimate survey (as part of a
| locksmith business, say)?
| jerf wrote:
| Don't try to understand this with metaphors. It's a trap. Port
| scanning isn't enough like anything in the real world for the
| analogies to apply.
|
| I'd strengthen pfundstein's claim; port scanning intrinsically
| works by trying to open connections. That isn't enough "like"
| any particular physical thing to make it a correct analogy; it
| isn't knocking, or walking in, or opening, or anything else.
| But one thing we can say, without using analogies, is that it
| is definitely an _active_ effort, an action deliberately taken,
| not something passive like "looking" is in the real world.
| That is not on its own proof that it is wrong... I am merely
| saying, it is certainly _active_ , not passive.
| pbhjpbhj wrote:
| I think your final objection fails by bad analogy too: one
| has to _actively_ direct ones gaze, in general, if one is to
| notice a type of lock or other security arrangements.
| jerf wrote:
| I'm not analogizing to "actively looking"; I am saying, it
| is an active action. You can tell it's active because if
| they don't make deliberate decisions to write code that
| performs this scan, no scan will happen. They have had
| meetings about this functionality, and implemented it, and
| tested it, and management has signed off on it, and in a
| place like eBay quite likely their legal department has
| signed off on it. It is an action they have taken, with
| deliberation and intention; it is not a thing that just
| suddenly started happening to them one day, like, Firefox
| shipping a new browser that has a new default font or
| something.
|
| I'm referring to the literal, probably-hundreds-of-person-
| hours actions taken to create this functionality. This is
| relevant to both ethical and legal analyses. No analogy.
| [deleted]
| koheripbal wrote:
| Yeah, I'm not saying it should be illegal, but it's hard to
| see a use-case for scanning on a remote network that isn't
| malicious or security related.
| enedil wrote:
| In this case, it's asking a clueless kid that lives in this
| house to try to open the selected door, and you guess whether
| the door was open or closed by the time after he returns.
| pbhjpbhj wrote:
| That's called "casing a joint" ...
|
| I think it comes under the Criminal Attempts Act 1981. But it
| might come down to whether you gather information, if you test
| a port, intending later - if successful - to attempt an
| exploit, then that seems like it could be unlawful (under the
| Law of England & Wales). Keeping a record of ports found with
| services could be sufficient to demonstrate intent.
|
| [Just to be clear, I'm not endorsing/condemning the law here.]
| underdeserver wrote:
| Doing it from the browser is like trying to open the door _from
| the inside_. It 's crappy behavior.
| bencollier49 wrote:
| It's a bit like being invited to someone's house, and then
| going through the drawers in their bedroom while they're in
| the toilet.
| ozim wrote:
| It is not fine. Just like burglars looking at a house is not
| fine (still nothing to do with being legal or not). Intent
| defines if something is OK or not. Just like killing is always
| illegal but when you do it to save someone else it is hmm less
| bad, you see intent...
|
| What are the intents of people doing scan? I don't see any
| legitimate reason for scanning random people computers or
| servers that are not yours.
| drbenway wrote:
| I've noticed many of the survey for cash sites use websockets to
| scan for running services on your machine Personally I think its
| straight up evil
| folmar wrote:
| Those are natural abuse (automation) targets so always used a
| lot of tracking.
| xur17 wrote:
| Is there a way to block this at the browser level? Ex: block
| access to localhost for all domains (except from localhost
| itself)?
| inetknght wrote:
| Use uMatrix and set a global block.
| anarcat wrote:
| specifically, websockets are blocked by the "XHR" component
| on the popup panel, which also blocks XmlRPC and the Fetch
| API. as a rule, you could block all XHR requests everywhere
| with: * * xhr block
|
| What I actually do is block everything but first-party
| requests, apart from CSS and images: * * *
| block * * cookie block * * css allow
| * * frame block * * image allow * 1st-party *
| allow * 1st-party css allow * 1st-party frame
| allow * 1st-party image allow
|
| i actually allow xhr on third-party requests once i enabled
| third-party requests, which makes it possible to "enable" a
| bunch of site with two clicks (popup panel then click on
| "all").
| gruez wrote:
| Ublock allows you to block websocket requests. eg.
| *$websocket
|
| will block all websocket connections. You probably want to
| operate on a whitelist on a site by site basis. Blocking
| localhost or 127.0.0.1 isn't reliable because sites can use dns
| rebinding attacks to bypass your filters.
| parliament32 wrote:
| That helps one of the vectors, but you can scan with pure JS
| too: https://portswigger.net/research/exposing-intranets-
| with-rel...
| thanksforfish wrote:
| This helps, but can't you also do this sort of scanning
| without websockets?
| billme wrote:
| How? This appears to bypass NATs Network Address
| Translation) & Firewalls.
| Cactus2018 wrote:
| Thanks for this. Adding the string to uBlock Origin's "My
| Filters" tab worked perfect. *$websocket
|
| Tested with https://websocketstest.com/
| jhhh wrote:
| Ublock origin says it supports ABP filter rules which allow
| for whitelisting sites which seems like it should allow
| something approximating: ~site.com$websocket
| *,~site.com$websocket
|
| However this seems like it's invalid syntax because switching
| your example to this opens all websocket use back up tested
| via https://websocketstest.com/
| edoceo wrote:
| Whitelist sites that you allow WS features.
| bilekas wrote:
| I wonder though if it was just a websocket that could do
| this, surely some client side JS can just itterate the same
| when loaded.
| chippy wrote:
| Could you expand upon how to do this? And what does WS mean?
| bilekas wrote:
| WS is WebSockets, its a protocol so you could disable it at
| that level.
| ekimekim wrote:
| I do this by running my browser in its own network namespace,
| with NAT to the outside world. A couple more firewall rules
| explicitly add forwarding for specific localhost ports.
| bilekas wrote:
| Was thinking the same, maybe creating a service account for the
| browsers, I believe they do need some level of elevation but
| then using the firewall rules disabling everything expect
| http/s ports.. Websockets and others might be an issue, might
| need to be updated on an adhoc basis though and shouldnt be the
| reposonsibilty of the users.
|
| This is kinda gross practice overall.
| sitkack wrote:
| I can't believe of the 363 comments no one has mentioned Samy K
| and his awesome Poisontap project. Parts of which did this local
| scanning and connecting to your internal router management page.
|
| https://github.com/samyk/poisontap
|
| See also,
| https://www.theregister.co.uk/2010/01/05/geo_location_steali...
| Giorgi wrote:
| I don't think motivation is malware detection, I am assuming this
| is sort of fraud detection (like carding)
| swalsh wrote:
| I can think of a legitimate use case for this. If you watch some
| of these scammer youtube videos, one common thing they seem to do
| is get on a screensharing application, and have the user log into
| their bank account. From there, the scammer inspects the html,
| and manipulates the values to trick the victim.
|
| A bank knowing if someone else is watching your screen is a
| decent security measure.
| osolo wrote:
| My kids complained today that Google Classroom isn't working.
| After a quick investigation, I noticed that Snort on my firewall
| blocked the relevant Google server due to incoming TCP port
| scans. Sigh.
| driverdan wrote:
| Can you share the server IP / hostname?
| r1ch wrote:
| Be careful with automated rules - unless it's a full TCP
| handshake, you can't conclusively identify the source of a port
| scan as the IP may be spoofed. If someone port scanned you and
| spoofed eg the IPs of your DNS servers, you've self-DoSed
| yourself.
| BCharlie wrote:
| Yikes! Maybe that's the next thing I will take a look at...
| dawnerd wrote:
| eBay must have some logic to determine who to scan. I can't get
| it to trigger on my windows desktop or mac.
| zlynx wrote:
| If you want analogies, this is like walking into a bank to do
| business and the security guard checking to see if you're wearing
| a mask.
| tryauuum wrote:
| People are good at inventing analogies that support their point
| of view.
| azinman2 wrote:
| Any suggestions of ways to block this? Any Safari extensions?
| XaspR8d wrote:
| This does suggest to me that browser websocket requests against
| localhost should at least:
|
| 1) return the same error message for all failures (unless some
| opt-in / launch flag is set)
|
| 2) fiddle with the timing slightly to make timing attacks less
| useful? (how long is a localhost TLS connection? 100ms? I think
| devs can wait a handful of frames for their failure response.)
|
| I have no idea how many legitimate apps are leveraging some kind
| of localhost connection -- it sounds like an unusual use case but
| I can certainly imagine some enterprise app that ties into
| desktop services or programs by that route.
|
| EDIT: Of course banning them outright or requiring specific user
| whitelisting of domains would work as well. Just trying to get
| away with the smallest change.
| awinter-py wrote:
| TLDR because you have javascript enabled
| barbarbar wrote:
| So if disable javascript - it will not be possible?
| splonk wrote:
| > Furthermore, when I installed and ran a VNC server, I didn't
| detect any difference in site behavior - so why is it looking for
| it?
|
| Not an eBay employee, but used to work in fraud detection. Two
| very obvious related guesses from my experience:
|
| 1. Fingerprinting a user to help identify account takeover (ATO).
| Open port signatures is probably a pretty good signal for that
| kind of thing (and it doesn't seem to be measured in
| https://panopticlick.eff.org/).
|
| > However it is also a valid tool used by administrators for
| remote access to machines, or by some end user support software,
| so the presence of VNC is a poor indicator of malware.
|
| 2. In a Bayesian sense, this probably isn't right. I don't know
| what eBay's traffic looks like but I'm willing to bet that all
| other things being equal, traffic coming from a machine with an
| open VNC port is riskier. Fraud detection is a game of
| probabilities, so the existence of a valid user showing a
| particular characteristic doesn't mean that the characteristic
| isn't useful in a fraud model. The example I always give is that
| when I was doing this (quite some time ago), we could have had a
| 99% accuracy rate for a simple rule banning IPs from Turkey,
| Ghana, Nigeria, and Vietnam. It's not because there weren't any
| valid users from those countries, it's just that the fraudsters
| where overwhelmingly likely to be using IPs from those countries.
| m3047 wrote:
| Apropos past issues with Zoom installing a local server, this is
| important to consider.
| discreditable wrote:
| From the title I assumed this was going to be something else. I
| remember some sites used to port scan you on registration. This
| was to check if registrations were from an open proxy, which was
| a very strong bot indicator. I might be misremembering but I
| think Slashdot used to do it. There were also some plugins for
| phpBB forums that did it too. I used one back in the day and it
| helped quite a bit with spam registrations.
| Deimorz wrote:
| Yes, I definitely remember Slashdot doing it, but it was more
| often than just on registration. Here's an article from 2014
| about it, which says that it happens on every login and posting
| a comment:
| https://soylentnews.org/article.pl?sid=14/04/09/1925245
|
| At the bottom of that post it says the code was added on
| 2008-04-16 19:07:46 +0000.
| discreditable wrote:
| That sounds right. To test I ran a capture on my gateway and
| it seems like they aren't scanning 8080 or 3128 on login or
| post nowadays.
| machello13 wrote:
| How did port scanning work back then before WebSockets?
| r1ch wrote:
| These were external scans - see if the visitor's IP is
| running an open SOCKS or HTTP proxy for example. Many IRC
| networks still port scan you on connect for the same reason.
| [deleted]
| lucaserb wrote:
| I downloaded Brave for the first time today after reading this.
| 3fe9a03ccd14ca5 wrote:
| How do I prevent this? Is there something I can do to block
| localhost (RFC 1918) port scanning?
| JaceLightning wrote:
| Poorly written article: mixes facts and opinions
|
| > it seems many sites are port scanning visitors for dubious
| reasons.
|
| Claims that in the intro, but then admits ebay is scanning for
| VPNs, which probably means it's doing fraud detection, which is
| definitely not a dubious reason, and is probably actually
| beneficial to the customer.
| fgnewsom wrote:
| FUCK GAVIN NEWSOM!
| akerro wrote:
| Interesting, port scanning is illegal in some countries as it's
| classified as security testing, it can be only performed with
| permission.
|
| How would you feel is someone was walking on busy car parking and
| checking if doors of the cars are open? It' what port scanning
| is, checking if the car has open door.
| kchr wrote:
| Is opening car doors illegal if you never enter the car/steal
| anything?
| ac29 wrote:
| A motivated prosecutor could almost certainly find something
| to throw at you - some variety of public nuisance law or
| something.
| clarry wrote:
| > How would you feel is someone was walking on busy car parking
| and checking if doors of the cars are open? It' what port
| scanning is, checking if the car has open door.
|
| More like sending a "hi, can I enter?" signal to a self-driving
| taxi that has been left waiting in a public arena.
|
| Don't put a server online with a public IP if you don't want to
| receive those signals. Don't send "hi yes you can enter!"
| responses when you get the query, if you don't want to let
| people in.
| jgwil2 wrote:
| Except in the case described by the article, the port
| scanning is being done not on servers on the public internet
| but on clients of certain websites.
| lucaserb wrote:
| Downloading Brave Browser right now...
| tonymet wrote:
| anyone know the config or flag in Chrome to disable any requests
| to localhost? Ideally excluding origin=localhost, but if not
| possible i can dev on a different account
| relaunched wrote:
| This use doesn't seem to be covered by eBay's privacy policy
| https://www.ebay.com/help/policies/member-behaviour-policies...
| fareesh wrote:
| Why is localhost / 127.0.0.1 allowed from a remote JS file
| without any permissions?
| badRNG wrote:
| This raises the question: Is port scanning without consent a
| violation of the CFAA? Either it is legal, and researchers should
| face no repercussions for doing so, or it isn't and eBay is non-
| compliant with CFAA. I recall hearing about someone either being
| arrested or convicted due to port scanning a courthouse, but it
| was many years ago and I can't find the case with a cursory
| Google search.
|
| I have to wonder what value eBay would get from port scanning its
| customers. Is it part of an attempt to detect bots/attackers? Is
| malware running on their server trying to determine if the client
| is likely vulnerable to some propagation method?
| dollers wrote:
| Someone's never caught a case. You may not think this is true
| but the way the legal system works is everything is illegal.
| Then when they need to get you you are already guilty. Everyone
| else they just ignore. Crazy, right?
|
| LMAO a downvote in 3 seconds. Good old hacker news. Well,
| downvotes don't make you right. I'm trying to open your eyes
| and you downvote me. I guess that is to be expected.
| throwaway023421 wrote:
| Over the years I've seen "hacker" news become more of an echo
| chamber and instantly downvote anything against doctrine...
|
| I'll be downvoted for saying this.
| thephyber wrote:
| > I'll be downvoted for saying this.
|
| Because it's against the site guidelines.
|
| > Please don't comment about the voting on comments. It
| never does any good, and it makes boring reading.[1]
|
| [1] https://news.ycombinator.com/newsguidelines.html
| Gibbon1 wrote:
| Your comment is even more worthless than his
| dollers wrote:
| Homogeneous idiocracy makes it boring. Knowing
| conversations that aren't the right conversations won't
| be allowed is what makes it boring. Citing the site
| fucking guidlines ...makes ...it ...bor
| [deleted]
| dollers wrote:
| Yep
| paulryanrogers wrote:
| "Innocent until proven guilty" suggests that everything is
| legal unless there is a law against it.
| MaxBarraclough wrote:
| Not quite the same thing. A legal system could use presumed
| guilt (defaulting to assuming an accusation is true) while
| still having a 'blacklist' approach to which actions are
| punishable.
|
| https://en.wikipedia.org/wiki/Everything_which_is_not_forbi
| d...
| pdonis wrote:
| Do you know how many laws there are? Not to mention common
| law, which is law established by previous court decisions
| on matters that have never been covered by any statute?
| crankylinuxuser wrote:
| It doesn't make any sense in trying innocent people!
|
| (No, seriously, I know people who believe that.)
| duxup wrote:
| When did networking support we often had old code + lower
| quality equipment that could / would crash if you used off the
| shelf security software that would go out and scan and then try
| all sorts of things and then generate a report.
|
| I'd say 90% of the time the powers that be at the company had
| no idea someone was running that software, or that it was still
| running at their company, and then someone moved a firewall and
| the system was exposed to more than intended. Then they'd turn
| it of ... and find another similar tool running somewhere else.
|
| It could be a simple as a test or security system run amok.
| mcny wrote:
| > I'd say 90% of the time the powers that be at the company
| had no idea someone was running that software, or that it was
| still running at their company, and then someone moved a
| firewall and the system was exposed to more than intended.
| Then they'd turn it of ... and find another similar tool
| running somewhere else.
|
| This demonstrates the absurdity of the CFAA more than
| anything else. Sorry for sounding like a broken record but
| the CFAA is not salvageable and MUST be repealed.
| wrkronmiller wrote:
| > I have to wonder what value eBay would get from port scanning
| its customers.
|
| From the article:
|
| > Looking at the list of ports they are scanning, they are
| looking for VNC services being run on the host, which is the
| same thing that was reported for bank sites.
|
| > VNC is sometimes run as part of bot nets or viruses as a way
| to remotely log into a users computer. There are several
| malware services that leverage VNC for these purposes.
| [deleted]
| bitdivision wrote:
| They're almost certainly doing it as part of a heuristic to
| detect bots. Hence the VNC / RDP ports. I would assume it's
| quite common for bots to have those ports open so they can be
| monitored
| hn_check wrote:
| In this case it's a script running on your own web browser
| that's scanning localhost. You are effectively scanning
| yourself. It's in a different realm from external scans.
| ajphdiv wrote:
| Not illegal. Sites like shodan.io would have an issue if it
| was.
| wrkronmiller wrote:
| IANAL but this type of websocket port scan seems inherently
| different from what Shodan does.
|
| Shodan is outside your network's firewall, therefore only
| able to access services you've exposed to the wider web.
|
| If I understand the article, the websocket scan eBay is doing
| is trying to connect to local listeners on your laptop,
| behind your network's firewall and possibly even behind your
| laptop's firewall.
| gnu8 wrote:
| This is such an obvious consequence of web sockets that I
| wonder how anyone could have entertained the idea long
| enough to sober up and write the code. This is worse than
| letting a web page script have access to the clipboard,
| record mouse movements, and similar information leaks,
| because instead of just stealing information, now a web
| page can actively compromise any host on your network.
| crankylinuxuser wrote:
| Yep. Just waiting for this "feature" to be added to
| metasploit.
| wrkronmiller wrote:
| I agree this is quite disturbing.
|
| It does not, however, sound like an attacker can
| establish arbitrary TCP connections (at least using the
| technique from the article). Instead, the attacker can
| determine if something is listening on a port because it
| will take a different amount of time to negotiate/drop a
| connection to a port when there is a listener than when
| there is not a listener.
|
| In other words, this sounds like a variant of a timing
| attack. As such, presumably, this particular avenue of
| attack can be mitigated by the browser vendor inserting a
| delay s.t. no information can be gleaned from how long it
| takes to negotiate/drop a websocket connection.
|
| EDIT: I also wonder if it would be possible to do a
| similar port scan using the timing of XHR requests to
| localhost (e.g. http://localhost:[port]).
| throwphoton wrote:
| > It does not, however, sound like an attacker can
| establish arbitrary TCP connections
|
| Maybe not, but what if the ports you have open actually
| are HTTP servers for development purposes? In that case
| wouldn't a website be able to crawl your unreleased work,
| and/or mess with what you're doing, with requests
| seemingly "out of nowhere"?
| bzb3 wrote:
| That's a fallacious argument. The fact that someone is doing
| something doesn't mean it's automatically legal.
| TechBro8615 wrote:
| IANAL, but more likely it depends on intent and context. So
| shodan.io is okay because it's not explicitly malicious,
| and they have clear paths to contact them if you suspect
| abuse. Whereas, if you're suspected of hacking a website,
| the fact that you port scanned it a week prior to password
| spraying it might serve as evidence against you. That is,
| it seems unlikely anyone would be prosecuted for port
| scanning alone, but it could be an act that demonstrates
| intent of a later action.
|
| One time, I port scanned my public IP (of my ISP) from an
| EC2 box, and I got an email from EC2 saying they received
| an abuse complaint from the ISP for port scanning activity.
| pbhjpbhj wrote:
| What's Shodan.io's legitimate use? Sounds like the
| "torrents can be used for legitimate content" type
| argument where in reality you a rounding error the use is
| not lawful??
| jerf wrote:
| If I were a serious baddie, I'd be _afraid_ of using
| Shodan. Who knows who has what logging on that, and what
| honeypots may have been seeded into it for just such an
| occasion? It 's not that hard to get that information
| yourself, from sources you control yourself.
|
| Legitimate usage from researchers and people reading
| about infrastructure they have the right to do security
| testing on may be a larger percentage than you think.
| 101404 wrote:
| I used to use torrents a lot and always for legitimate
| data transfers.
| pbhjpbhj wrote:
| Yes, I've used it to download Linux distros, but the
| point still stands.
| 101404 wrote:
| Not really, it totally contradicts the made-up point.
| TechBro8615 wrote:
| There are plenty of legitimate uses of port scanning, and
| specifically, a port scanning database like Shodan. For
| example:
|
| - Monitoring your own network or that of your clients for
| exposed ports
|
| - Researching Internet topology, or performing aggregate
| queries like "how many nginx servers are connected to the
| Internet"
|
| Can you use it maliciously? Yes. But, most of the time,
| if you have a target it would make more sense to do the
| port scan yourself. And if you're just dragnet searching
| for vulnerabilities, most you find will probably already
| have been exploited. Sites like shodan are good for the
| overall health of the web because they force website
| owners to maintain security posture. If you know that
| foregoing a wordpress upgrade means you're one script
| kiddy with a shodan account away from getting hacked,
| you're going to keep your site up to date. This saves you
| from script kiddies, but also from the more sophisticated
| hackers who would run a port scan themselves anyway.
| pbhjpbhj wrote:
| >There are plenty of legitimate uses of port scanning,
| and specifically, a port scanning database like Shodan.
| //
|
| Any legitimate security service is going to be doing
| there own scans, surely.
|
| Statistics, yes, but I can't see those stats being
| especially good. You could probably get equally good
| nGinx data from netcraft, who IIUC get the data from http
| responses banners on :80 :443.
|
| I'm not sure I buy the "security posture" line, isn't it
| circular. Tools to help crack your site are good because
| it means to have to have counter-measures to combat tools
| for cracking your site?
|
| Only legitimate use of port scanning for me has been
| testing access to my own/clients computers, I feel.
| That's not too say I've not used it for illegitimate
| things ...
| achillean wrote:
| Shodan is used by most of the Fortune 100 companies for a
| variety of use cases. Here are the most common ones:
|
| 1. External network monitoring: know what you have
| connected to the Internet and get notified if anything
| changes unexpectedly. This has actually gotten
| significantly more challenging with services deployed to
| the cloud where your IT department might not even know
| which IPs to keep track of.
|
| 2. 3rd-party risk assessment: understand the security
| exposure of your partners, vendors, supply chain or other
| 3rd-parties. For example, lets say you're an insurance
| company that wants to provide cyber insurance. Shodan
| data can help you understand what sort of risk you'd be
| taking on. The data has also been used in M&A as part of
| due diligence to get a metric on the security of the IT
| department of the company they're thinking of acquiring.
|
| 3. Market intelligence: basically Netcraft on steroids.
| Shodan doesn't just have web information but also for
| many other protocols. This information is used by hedge
| funds and vendors to understand which products are
| purchased and deployed to the Internet. The data is
| skewed due to the nature of public IPs but there are
| still things you can do.
|
| 4. Policy impact: get a measure for how policies at the
| country-level are impacting Internet connectivity. For
| example, the OECD used Shodan to get a measure of
| Internet-connectivity per capita.
|
| 5. Fraud detection: is your customer trying to make a
| purchase from a machine that's been compromised? Or
| running a a VPN/ proxy? Shodan is used in transactional
| fraud detection to flag suspicious payments.
| ajphdiv wrote:
| The more pointed argument would be there is no federal law
| prohibiting port scans.
| TeMPOraL wrote:
| Doesn't the Curl/For-loop Abuse Act (CFAA) cover it?
| kube-system wrote:
| > Either it is legal, and researchers should face no
| repercussions for doing so, or it isn't and eBay is non-
| compliant with CFAA.
|
| Criminal law is _usually_ not this simple, as most criminal
| laws will take into account the mental state of the person
| performing the action.
| JoelMcCracken wrote:
| Was it this? https://news.ycombinator.com/item?id=21023023
| p410n3 wrote:
| That wasn't port scanning. They actually physically went
| inside the building.
| badRNG wrote:
| No, I think it was probably close to a decade ago, but I
| likely am misremembering some of the details. Could've been a
| police department, but I'm not sure.
|
| That one you linked is a messed up case. There is a
| phenomenal podcast that interviews those guys and walks
| through their engagement.
| https://darknetdiaries.com/episode/59/
| p410n3 wrote:
| This guy got arrested at least:
|
| https://www.securityfocus.com/news/126
| billme wrote:
| Article also states civil claims were dismissed - and
| criminal charges are unlikely to hold.
| relaunched wrote:
| I hope they weren't debilitated by the legal fees incurred.
| badRNG wrote:
| nmap's "Legal Issues" section states that the guy went on
| to start a successful digital forensics company, after
| spending years crushed under 6-figure legal fees.
|
| https://nmap.org/book/legal-issues.html
|
| Edit: Link to the company
| http://www.forensicstrategy.com/ He also has a data
| recovery company now http://www.myharddrivedied.com/
| rtkwe wrote:
| It's probably part of their fraud detection and mitigation
| strategy. Combined with other info about your transactions it
| could help raise a flag about changes.
|
| As for the CFAA that's seemingly down to how aggressive the
| prosecutor is feeling about your case. I don't think it should
| be there's no real access happening and unless it's extremely
| aggressive and degrades network connectivity it's hard to argue
| there's any real damage done.
| hedora wrote:
| Bypassing a firewall to run a port scan is almost certainly
| illegal.
|
| That's what these sites are doing.
| kchr wrote:
| I agree with the sentiment, but by visiting the site and
| running the code, I believe you bypassed the firewall on your
| own.
| arpa wrote:
| Why don't you run this executable. No, this ransomware
| message has nothing to do with me, it's all you. Why do you
| do this to yourself?
| nerdponx wrote:
| My guess is bot detection + user fingerprinting.
| laurentdc wrote:
| > Furthermore, when I installed and ran a VNC server, I didn't
| detect any difference in site behavior - so why is it looking for
| it?
|
| I think behind the scenes they keep log of some sort of fraud
| risk, e.g. geoip different from billing country, suddenly a new
| operating system, vnc/teamviewer running would probably flag your
| account (even for benign purposes, e.g. you can get your money
| back or purchase cancelled if that info can prove your
| transaction was actually unauthorized).
|
| I worked on a ecommerce where the previous developers implemented
| a rudimentary "score" system like that so that suspicious orders
| would be put in queue for phone verification (this was pre gdpr)
| BCharlie wrote:
| That makes a lot of sense. I assumed it was somehow for anti-
| fraud, though I still don't like it.
| braxxox wrote:
| Port scanning from a web page, combined with DNS rebinding, can
| present a really nasty attack, and can effect an entire private
| network, not just localhost.
|
| Some more info here: https://medium.com/@brannondorsey/attacking-
| private-networks...
|
| Example code: https://github.com/brannondorsey/dns-rebind-toolkit
|
| A malicious DNS rebind server:
| https://github.com/brannondorsey/whonow
|
| Disclaimer: I performed some of this research a few years ago. So
| those resource suggestions are my own, but they feel very
| relevant here.
| blakesterz wrote:
| hmmm, so the conclusion is:
|
| "Whether the port scan is used as part of an infection or part of
| e-commerce or bank "security checks", it is clearly malicious
| behavior and may fall on the wrong side of the law."
|
| Though I really don't know what ebay or banks or any site might
| be doing, it seems like it's almost certainly a defensive thing
| looking for signs of trouble. I don't know if I'd call it
| malicious. Isn't this totally harmless in this case? That is,
| eBay portscans me, how is this malicious?
| the8472 wrote:
| You don't know whether they're collecting the data and running
| analysis on it. What services you're running may already reveal
| something about you.
| pknerd wrote:
| I just tried myself and could not find any such thing. MAy be a
| bug or removed after seeing it featured on HN?
| owaislone wrote:
| This is scary. I've always left locally running services
| unprotected for convenience given they can't be accessed from
| outside. I can imagine a lot of people running local apps,
| servers or databases without any auth that could contain
| sensitive information. Would a webpage be able scrape data from
| such services? Any way to disable this completely in Firefox and
| Chrome?
| dvdkhlng wrote:
| No, webpage javascript is limited to using websocket protocol
| [1] for connections. That means your database or IP camera, or
| VoIP phone or router are safe for now. Though the websocket
| connection establishment seems to allow the javascript to
| differntiate between a closed and an open TCP socket and a TCP
| socket that speaks websocket.
|
| [1] https://en.wikipedia.org/wiki/WebSocket
| owaislone wrote:
| So if a local service allows WS connections, can data be
| scrapped off such a service?
| dvdkhlng wrote:
| Yes, the primary (or only) reason to even implement a WS
| server connection is exactly to allow data to be scrapped
| off using a web-browser.
|
| E.g. Asterisk nowadays allows enabling SIP protocol access
| over websocket so that you can run a javascript VoIP client
| from inside a browser [1] (and WebRTC for the media layer).
|
| [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Bui
| ltin+...
| owaislone wrote:
| Sure but such servers would always implement
| authentication when deployed to the web but a lot of such
| services could run locally unauthenticated to serve local
| apps. For example services to power electron apps. This
| tells me data from such services can be stolen very
| easily.
| dvdkhlng wrote:
| Electron apps have much more access permissions than a
| normal website. I don't know technical details of how
| electron apps interact with the bundled chrome, however
| this post [1] suggests that electron apps can just talk
| low-level TCP protocol, no need to wrap everything in an
| additional websocket protocol layer.
|
| [1] https://stackoverflow.com/questions/41674063/is-it-
| possible-...
| paddlesteamer wrote:
| Actually , I'm pleased ebay is doing this. It wasn't a new issue
| but now ebay doing it, it took a lot of attention. It's like
| disclosing a security issue in WebSocket protocol. Now I'm sure
| next releases of the most browsers will fix it.
| jquast wrote:
| See also, http://localrouter.net/
| jcoffland wrote:
| Port scanning localhost from a webpage has been possible for a
| long time and does not require websockets.
|
| http://jsscan.sourceforge.net/
| 2009guy wrote:
| Best to log all scanning attempts...
| annoyingnoob wrote:
| If the bank is checking on my security then its reasonable for me
| to check the security of the bank, right?
| kchr wrote:
| Check the bank EULA. You might have agreed to the scans without
| knowing.
| parliament32 wrote:
| Lots of chat in the comments about how this is all websockets'
| fault, but don't forget you can portscan localhost with pure JS
| as well.
|
| https://portswigger.net/research/exposing-intranets-with-rel...
| carapace wrote:
| Ach! That's diabolical.
| gsnedders wrote:
| Timing attacks make it very hard to prevent port/host probing
| generally, sadly, with the sheer number of things that are
| observably loaded cross-origin (iframes in that example, but
| also images, scripts, stylesheets...).
|
| (In the private/loopback IP ranges we should really just make
| those requests always fail, but I addressed that in another
| comment as to why that's not trivial.)
| bjt2n3904 wrote:
| Every time I hear about some shiny new feature being added to a
| browser, I think...
|
| 1) Will I ever actually use this
|
| 2) How is this gonna screw me over
|
| WebSockets, WebBluetooth, WebAssembly, Web-You-Can-Access-my-
| Accelerometer-and-Battery, haven't ever wanted to use those.
| Ever. For anything. For any reason. (Edit 3: Oh yeah, I forgot!
| WebRTC!)
|
| Edit: Fantastic. You can't disable it in Firefox. So what, does
| Firefox need a freaking iptables implementation now? [1]
|
| 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1091016
|
| "The only theoretical reason for the WebSocket pref these days is
| the possibility to disable it easily in case there is a security
| issue found in the protocol itself or so."
|
| The protocol itself is the security issue. ALL OF IT.
|
| Edit 2: So I don't have the time to investigate every new fad
| when it comes out. I originally thought WebSockets were raw
| sockets, but they aren't. Firefox blocks access to port 22 -- I
| was hoping all privileged ports, but it seems just those. Opening
| a WebSocket to netcat dumps out a HTTP request, so it seems
| unlikely that you'd be able to talk with anything that doesn't
| talk HTTP and WebSockets. Firefox also seemingly blocks access to
| 192.168/24 and 10/8.
|
| This makes me less angry. But what STILL make me angry is that I
| have to sit and research about some stupid thing that I don't
| want and can't turn off. Sooner or later, some web dev is gonna
| argue that all sites should be loaded over WebSockets because his
| bloated javascript stack performs marginally better, and then
| WebSockets _won 't_ be something I can turn off. Websites will
| just whitepage.
|
| Edit 4: Done researching this now. I went to ebay on Firefox, and
| wasn't getting websocket scans. But I've got a stack of uBlock
| and NoScript... maybe that's interfering with it some how? Opened
| up a stock config for google-chrome -- that's my browser for
| "some dumb new web tech that isn't working in Firefox" -- not
| seeing any scans when I open up inspector and click "WS".
|
| Regardless, his point still stands. You can totally use
| WebSockets as a port scanner for localhost, assuming the Content
| Security Policy allows it. Now I gotta go update my nginx
| configs...
| thinkmassive wrote:
| The ability to selectively enable those features would be
| ideal, but I disagree that their presence alone is a net
| negative.
|
| Web browsers are the new cross-platform runtime, better to get
| used to it.
| djsumdog wrote:
| Websockets are nice for some things. I hack on Mastodon and it
| uses WSS for streams and they're very helpful.
|
| But WebBluetooth, ASM, etc are all fairly insane. WebRTC feels
| like a massive security issue (I've seen a demo of someone
| using WebRTC to find computers on an internal network at a
| security conference years ago. Even if that hole is fixed, it's
| still a hacky solution to video streaming behind NAT).
|
| I agree; most of this stuff needs to have ways to disable it,
| in the base configuration screen of the browser (not hidden
| somewhere in about:config).
| Sargos wrote:
| Anyone who has enough technical knowledge to have a reason to
| turn these off should be just fine with about:config. We
| don't want a situation where normal users just randomly go
| into the config turning things off because they think they
| are doing something good. That's how we get another group of
| low-tech "turn off Windows Update" types who just harm
| themselves as a result of their incompetence.
| mindslight wrote:
| Anyone who has enough technical knowledge to have a reason
| to turn these _on_ should be fine with about:config. The
| default settings should be _secure_.
| bottled_poe wrote:
| I think people turned those updates off for good reason...
| but it wasn't the users that were incompetent.
| JoshTriplett wrote:
| The subset of web technologies that seems reasonable to any
| given speaker often closely matches the subset of web
| technologies the speaker uses (either for their own code, or
| in apps they use).
|
| Personally, I'm looking forward to the point that web apps
| are capable enough to let PWAs do absolutely anything an
| Android or iOS application could do.
| Reelin wrote:
| > Even if that hole is fixed ...
|
| Last I checked (> 1 year ago) it was WONTFIX because of some
| very idiotic (IMO) reasoning. I keep it permanently disabled
| and have never missed it (media.peerconnection.enabled in
| Firefox btw).
| rhizome wrote:
| No doubt like canvas, font, audio, etc. fingerprinting, it
| will eventually be required to use Google apps like Maps
| and Messages for Web (to cite two recent discoveries).
|
| "If you're not paying, you're the product" has its own form
| of economic inflation.
| klodolph wrote:
| Why is ASM insane? Are you talking about WASM? That's got the
| same security model as JavaScript.
| garmaine wrote:
| Which is where the trouble started.
| saagarjha wrote:
| A stronger one, actually, since it can't access a bunch of
| stuff.
| neurostimulant wrote:
| WASM is great peace of tech but I can't help to think it
| would be abused a lot in the future. For example, right now
| we can use ad blocker to block ads and analytics by
| blocking its js from loading. Imagine when wasm gains
| mainstream popularity and ad companies begin to ship their
| ads and analytics product as a libaries to be linked at
| compile time. How do we block something like that? Sure the
| adblocker can hide the relevant dom contents, but the code
| is still run and doing whatever it want on your browser.
| klodolph wrote:
| These kind of complaints are based on a misunderstanding
| of how JS works or how the browser works.
|
| You can do the same exact thing in JS _right now._ In
| fact, if anything, JavaScript makes this way easier than
| WASM. With JS, you can just use something like Rollup or
| Webpack to put your analytics code in the same code.
| neurostimulant wrote:
| Yeah but using webpack is not how majority of websites
| deployed, so it's probably not worth the effort for ads
| companies to support it. They will consider this when
| webpack/wasm become mainstream enough (approaching 50%
| web), which may or may not happen. Probably won't
| happened but the thought always linger in my mind.
| saagarjha wrote:
| Turing strikes again...
| bradly wrote:
| > I hack on Mastodon and it uses WSS for streams and they're
| very helpful.
|
| I'm not familiar with Mastodon or WSS. Can you describe how
| using WSS make the end user's experience better? What would
| be different if web sockets weren't used?
| djsumdog wrote:
| Mastodon is a federated/distributed social networking
| server that communicates with other servers via a protocol
| called ActivityPub. The interface feels sorta like Twitter,
| but it doesn't have to be.
|
| There are other FOSS ActiviyPub servers such as Pleroma
| (written in Elixir), Pixelfed (Instagram type interface)
| and PeerTube (distributed video). ActivityPub is a protocol
| (like e-mail/SMTP) for subscribing and replying to posts.
| ActiviyPub is just used for the backend (how servers
| communicate with other servers; like SMTP sending e-mail or
| RSS readers polling RSS).
|
| Mastodon uses websockets to stream posts to the client/web
| browser. People who make mobile apps and desktop clients
| also tend to use WSS. It does fall back to regular HTTP
| polling in case WSS fails. Pleroma and others also re-
| implement the mastodon API. It means you can have different
| front-end web clients (Pleroma-fe, soapbox-fe, etc) on top
| of different backends (Mastodon/Pleroma).
|
| The advantage of WSS is being able to stream new statuses
| with a socket, rather than polling constantly for new
| updates.
|
| If you get on a Mastodon/Pleroma/Pixelfed instance (there
| are hundreds out there or you can setup your own), you can
| follow me at @djsumdog@hitchhiker.social
| bradly wrote:
| Thank you for the explanation.
| computerex wrote:
| WebAssembly is awesome! It's a substantial performance boost,
| and will allow the off-loading of standards to open-source
| communities so browser developers can focus on core browser
| features rather than having to stretch themselves.
| billme wrote:
| >> " Edit 4: Done researching this now. I went to ebay on
| Firefox, and wasn't getting websocket scans."
|
| ...Just in case you missed it and you're using Linux, from the
| article...
|
| "I thought it might be because I run Linux, so I created a new
| Windows VM and sure enough, I saw the port scan occurring in
| the browser tools from the ebay home page"
| Wowfunhappy wrote:
| I realize Hacker News isn't a hivemind, but I see these two
| assertions frequently, and I find the contradiction striking:
|
| 1. Why are web browsers becoming application platforms? Web
| browsers are document readers, and we should treat them as
| such.
|
| 2. Why does Zoom (or Slack, or insert-thing-here) want me to
| download a native app? I should be able to do it in my web
| browser!
|
| I sympathize with both philosophies, but they cannot co-exist.
| dullgiulio wrote:
| Nope, this is a strawman argument you're making.
|
| Parent is asking for granular access control over these very
| advanced and double-edged features, which is a perfectly
| valid request.
|
| Having permissions is the norm for native apps on mobile, and
| it's slowly becoming the norm also on desktop, finally.
|
| Browsers are the new OS, they have to implement permissions
| too without anything enabled by default.
| louis_pasteur wrote:
| We need a simple browser implementation for the masses. Is
| there any such browser in existence?
| wronex wrote:
| Agreed. Firefox99, latest Firefox but party like it's 1999.
| Web* disabled. Canvas disabled. LocalStorage disabled. DRM-
| content disabled. Anything else we don't need?
| travisporter wrote:
| You've inpsired me!
|
| In Firefox:
|
| LocalStorage - about:config Dom.storage.enabled
|
| Canvas - block JS via noscript
|
| DRM - Preferences->Disable DRM content checkbox
|
| WebRTC - about:config media.peerconnection.enabled;
|
| As a side note, noscript has been an eye-opener for how
| many things are loaded when I open anywebsite! It's been
| fast, but I've been getting annoyed by guessing what to
| enable to move past a blank webpage. And WTF is newrelic
| and why does half of my internet browsing use it?
| neurostimulant wrote:
| Newrelic is an application performance monitoring
| platform, basically give you performance insight on your
| webapp, so it gain popularity really fast. Really great
| for identifying performance bottleneck on the server
| side. Later on, they launched browser monitoring too, so
| now all webserver that uses newrelic automatically insert
| newrelic js analytics on every html endpoint.
| mard wrote:
| Netscape.
| Sargos wrote:
| DOS is simpler than Linux. Lets go back to that.
| mcherm wrote:
| There are no simple browsers, thus certainly no simple
| browser for the masses.
| folmar wrote:
| If you are on mobile there is Firefox Klar/Focus.
| kchr wrote:
| Qutebrowser.
| imiric wrote:
| I'm a big fan of https://surf.suckless.org/ .
|
| With some polish and maintenance it could serve as base for a
| simple(r) browser for the masses. It is essentially a small
| wrapper around WebKit, which is far from simple, but it has
| the benefit of great support for modern web features.
| [deleted]
| have_faith wrote:
| I don't think there's anything wrong with any of those things
| with a sane permissions system attached (strict opt in per
| site).
|
| The web is now a no-install app delivery platform, it makes
| sense for these things to exist.
| anon_cow1111 wrote:
| >So I don't have the time to investigate every new fad when it
| comes out
|
| I'm finding this to be my main problem. I have a fairly solid
| computer repair/troubleshooting background but can't keep up
| with the layers of crap that are pasted on top of modern
| software.
|
| An ongoing list of "features" being added to web browsers and
| how to get rid of them would be hugely helpful, but I've never
| found a centralized site for this topic, it's all just
| scattered around various tech sites.
| lqet wrote:
| > Opening a WebSocket to netcat dumps out a HTTP request, so it
| seems unlikely that you'd be able to talk with anything that
| doesn't talk HTTP and WebSockets.
|
| AFAIK this is only partly true, if the web server does not
| support the websocket protocol, you cannot connect to it [0].
|
| So if I am understanding this correctly, WebSockets only
| support a small subset of HTTP and it should therefore not be
| possible to use them to connect to "classic" HTTP servers or to
| send GET or POST requests to it.
|
| [0] https://developer.mozilla.org/en-
| US/docs/Web/API/WebSockets_...
| cygx wrote:
| But you still have to make sure all programs bound to local
| ports handle WebSocket requests gracefully.
|
| Binding to 127.0.0.1 is a nicely cross-platform way to do
| inter-process communication (I've done so in the past to
| mitigate JVM startup/warmup issues).
|
| I've never written this code defensively, because if you run
| programs that throw random shit at locally-bound ports,
| that's your responsibility. The web community has decided
| it's a good idea to give arbitrary websites that capability.
| It's true that the 'random shit' may only take the form of
| WebSocket requests, but this is only a minor comfort.
|
| From my perspective, this needs to be locked down.
|
| _edit:_ On second thought, you have always been able to
| trigger similar requests by e.g. just setting the src
| attribute of an image: Opera aside, browsers apparently never
| implemented proper cross-network protections. So from now on,
| I 'll be extra careful to make sure all my servers can handle
| unexpected, potentially malicious HTTP requests even when
| bound to 127.0.0.1.
|
| That said, I still do think this is something that needs
| fixing on the browser-side.
| jwandborg wrote:
| WebSocket connections are initialized by sending an HTTP
| request.
| datenwolf wrote:
| You forgot WebUSB - I wish I was joking, but I'm not:
|
| https://developer.mozilla.org/en-US/docs/Web/API/USB
| edoo wrote:
| I see irony in all this web functionality.
|
| Back in the 90's if you wanted an ohms law calculator you had
| to go download a poorly written program from some random
| website. Network admins started locking down what you could
| download, run, and install due to security problems. Flash
| became a hit and they started piling on features in the
| browser so you could run things dynamically without having to
| download something.
|
| Fast forward almost 30 years and the browser has become so
| full featured it is practically a weak OS sandbox that allows
| you to run just about anything. It was originally being
| extended to avoid that in the first place, and here we are
| almost back to square one.
| wongarsu wrote:
| The browser is basically the reinvention of the operating
| system. Its huge advantage is that it's built on the
| assumption that the user is trusted and the code isn't. In
| contrast most operating systems are designed on the
| assumption that code is absolutely trusted, but the user
| isn't. That's why rights management in Windows is concerned
| with who's allowed to access which file, while rights
| management in Firefox is concerned which which website is
| allowed to access the Webcam.
|
| The big disadvantage of the browser is of course that
| there's huge competitive pressure, and most users prefer
| usability over security. Keeping things secure without
| asking the user about their intentions every step is a huge
| challenge (see also Windows UAC, which struggles with the
| same problem).
| jadell wrote:
| > Its huge advantage is that it's built on the assumption
| that the user is trusted and the code isn't. In contrast
| most operating systems are designed on the assumption
| that code is absolutely trusted, but the user isn't.
|
| It's not necessarily an advantage, it's just a different
| threat model. An OS is protecting against an attacker
| already having access to the system (whether physically
| or over network.) The assumption is that the system is
| working properly and it's the operator that is malicious.
|
| For the browser, the assumption is that the operator is
| working properly, but the systems they will be accessing
| are malicious.
|
| The browser security measures are like a guard at the
| castle gate, allowing or preventing people from entering.
| The OS security is like locks on the doors inside the
| castle so that only people with the right keys can get
| into various protected rooms.
|
| Both are necessary because they're preventing different
| things (access to the system vs. access once you're
| already inside the system.)
| abakker wrote:
| yes, because for most user choosing between security and
| functionality is not a choice they are prepared to reason
| about.
|
| I'm no expert, but I am computer savvy. My experience is
| that more security ALWAYS limits functionality that I want.
| I get around it all with VMs and snapshots. I have totally
| wide open VMs that have no host access and just reset to
| the snapshot when I shut them down. the irony is that it is
| not only harder to choose functionality today, when you
| want it, but also harder to choose security. The choices
| are made for you. it is infuriating.
| bjt2n3904 wrote:
| ...we are screwed.
| coronadisaster wrote:
| dont these features allow web apps to compete with native
| mobile apps? I really don't like the app or play store... so
| if that is one way to get away from them, that is a good
| thing.
| r00fus wrote:
| I see WebUSB and I immediately think: "This is something that
| already exists in ChromeOS and Google wants to standardize
| it".
|
| Chrome the browser is a stalking horse/test harness for
| ChromeOS.
| the8472 wrote:
| > So what, does Firefox need a freaking iptables implementation
| now?
|
| umatrix is the layer7 firewall you're looking for, it can block
| websocket connections, cross-domain ones in particular are
| quite easy.
| djsumdog wrote:
| I've had performance issues with umatrix. I tried blocking
| all JS by default and explicitly enabling scripts. In theory
| that should make the browser preform better. I suspect there
| are a bunch of sites that can't run a function or reach a JS
| resource and then just go into spin loops eating through
| resources .. either that or the blocking itself is resource
| intensive.
| OJFord wrote:
| > I suspect there are a bunch of sites that can't run a
| function or reach a JS resource and then just go into spin
| loops eating through resources
|
| Google Maps.
| the8472 wrote:
| blocking has non-zero cost, yes. especially if complex
| whitelists need to be evaluated for every request. but at
| least for me it still is a net win most of the time.
|
| But you can also operate umatrix in a blacklist-based
| approach, i.e. simply let most requests through except the
| categories you deem problematic (e.g. cross-site websockets
| in this case)
| craftinator wrote:
| Whatever happened to a control panel to turn off all of the
| things you Don't Want? All of these protocols should have
| triple toggle switches, Enabled, Ask, Disabled. If something on
| the page doesn't load because that protocol is disabled, it
| logs to the console so you can turn on what you need for that
| page.
|
| I get that adding lots of user controls makes state management
| difficult, but there are tried and true ways to do this; users
| need the browser to work for them, not the other way around.
| jschwartzi wrote:
| Firefox is open-source, so you could add that. I would really
| appreciate being able to turn WebUSB WebBluetooth and WebRTC
| off entirely as those expose a lot of devices that I need not
| to be exposed to the Internet.
| michaelt wrote:
| I'm pretty sure someone at Firefox has decided the settings
| panel should be 'clean' and 'easy to use' rather than
| providing maximum control.
|
| I mean, there's a lot in about:config that the settings
| panel doesn't support.
| folmar wrote:
| ... and it was around the time when Firefox 3 was
| introduced.
| pdonis wrote:
| _> Firefox also seemingly blocks access to 192.168 /24 and
| 10/8_
|
| Chrome, OTOH, will happily open a websocket to these IP ranges.
| Another good reason not to use Chrome.
| kchr wrote:
| Uh... Why not block all private networks?
| foobiekr wrote:
| Probably IoT.
| ac29 wrote:
| A search seems to suggest Chromecast devices are controlled
| via websocket, though that information is pretty old.
| habyte wrote:
| I'm sorry, what's the alternative for (soft-)real-time
| applications on frontend if not WebSocket? You probably do want
| to use it.
| jackewiehose wrote:
| The alternative is to ask the user on a site basis.
| bjt2n3904 wrote:
| That would be amazing, but it would never happen. Mom and
| Pop would always click "no" out of fear of the unknown, and
| my awesome feature wouldn't get used! It _has_ to be
| enabled by default, they don 't know what they're missing!
| gsnedders wrote:
| That's literally the opposite of the concern with
| permission prompts: all the evidence from years of
| SSL/TLS certificate errors is that users will blindly
| grant permission.
| bjt2n3904 wrote:
| This is true -- and it may also be the same for
| miscellaneous permissions. But that doesn't mean it won't
| be used as an excuse by the feature developers.
|
| Honestly though, this is just me being bitter at web
| developers.
| kchr wrote:
| Surely everybody needs My Feature(TM)!
| derefr wrote:
| That's already how the browser microphone/camera API and
| notification API work, though. At this point, it's the
| expectation/default for new APIs to act this way. The
| browser makers would just have to be convinced to align
| the behaviour of these slightly-older APIs to the best-
| practice UX paradigm for new APIs.
| phkahler wrote:
| Native applications?
|
| Not everything needs to run in a browser.
| Spivak wrote:
| But that's even worse! Native apps have even less (i.e.
| zero most of the time) sandboxing than the browser.
|
| This wouldn't be a meaningful security improvement for
| anyone.
| danieldk wrote:
| You use a _much_ smaller set of applications than web
| sites. Moreover, you usually vet your applications and do
| not run random stuff. Application developers build up
| trust over time.
|
| Even if I want to use the web as hypertext + some
| Javascript for interactivity, every stupid web site can
| pull these shenanigans.
| rpastuszak wrote:
| A flashlight app asking for your contact list disagrees
| (don't forget about the FB SDK sitting quietly in the
| corner)
| gbear605 wrote:
| Maybe that's true for you, but if the modern web apps
| didn't exist, most average people would be downloading
| dozens or hundreds of miscellaneous apps. "Oh, I want to
| order a pizza on my computer, time to download the
| Domino's app." And then now you have Domino's ads running
| as daemons on your system.
| danShumway wrote:
| You use a much smaller set of applications than websites
| _because websites exist._
|
| You're imagining a world where the most popular dev
| environment goes away, and service providers decide to
| use HTML forms instead of forcing me to download an app
| every time I want to order a pizza. That world does not
| exist. The apps aren't going to go away, and your
| security model can't be, "people just won't install
| untrustworthy apps."
|
| And put things in perspective here -- we're talking about
| a security vulnerability that allows port scanning
| primarily for fingerprinting purposes. A native app can
| not only port scan, it can literally just make POST
| requests to those open ports across separate domains. The
| security risks we're talking about are not even remotely
| equivocal.
|
| Don't get me wrong, stuff like port-scanning _should_ be
| fixed in web browsers. But even with these
| vulnerabilities, the web is still unquestionably the
| safest consumer-accessible application platform that we
| have today. Moving applications off of the web and back
| onto native platforms would be setting security back half
| a decade.
|
| When someone comes to me and asks how they make their
| phone more secure and more private, the number one piece
| of advice I give them, every single time, is "avoid
| native apps and use websites instead. Don't install
| Facebook, use the website. Don't install random clicker
| games, browse them online instead."
|
| The web has been a major asset in my quest to get friends
| and family not to install a bunch of random malware on
| their devices. Doubly so when you throw kids and younger
| users into the equation. I am eternally grateful that the
| web is advanced enough that people can join a Zoom
| meeting without installing Zoom on their computer.
| michaelt wrote:
| Web sockets, but redesigned to only connect to the host shown
| in the address bar, on port 443.
| bjt2n3904 wrote:
| This man right here understands things.
| derefr wrote:
| Doesn't work if www.example.com is just an S3 bucket, with
| the actual website at api.example.com.
| michaelt wrote:
| That sounds like the developer's problem, not the
| browser's problem.
|
| I mean, I could half-ass my work a lot more often if
| they'd get rid of these burdensome restrictions on cross-
| origin requests. But they ain't going to.
| derefr wrote:
| Domains are never going to be just one origin. If we
| could force developers (or, more precisely, ops teams) to
| do this, then CORS would never have needed to exist in
| the first place, because there would be no need to allow
| any crossing of origins in the first place.
|
| But, at every point in the web's evolution (including
| today), there was always been something that needed to
| live on a different host or port for some reason or
| another--usually because it's too leading-edge for load-
| balancers to understand how to route it correctly.
|
| TCP load balancers that can handle long-lived flows with
| connection stickiness et al, are a very modern invention
| in the web's history; and even they still stumble when it
| comes to e.g. WebRTC's UDP packets, or QUIC.
| 90minuteAPI wrote:
| Server Sent Events and HTTP? With a modern setup it's going
| to be sharing an HTTP/2 pipe anyway. Even handles
| disconnections gracefully/transparently if you're clever
| about it.
|
| Can anyone expand on why this technique isn't more common?
| I'm so sick of seeing folks reinvent HTTP (poorly) on top of
| WebSockets. I get if extreme low latency is (allegedly) a
| requirement.
| iokanuon wrote:
| From what I remember about SSE, no Microsoft browser
| supported them. It seems like they've finally added support
| to Edge this year though.
| pennaMan wrote:
| SSE have a limit of 6 connections across all browser tabs
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=906896 https:/
| /bugs.chromium.org/p/chromium/issues/detail?id=275955
| anderspitman wrote:
| If you're using HTTP/2 this problem goes away.
| verandaguy wrote:
| >Can anyone expand on why this technique isn't more common?
|
| Hard answer: WS has been around for longer, and it's had
| more "marketing" for lack of a better word -- more people
| know about it and know how to use it. Retooling existing
| WS-using code to use HTTP/2 pipes would be a considerable
| effort with little to no perceived benefit to most users
| and teams.
|
| Speculative answer: most web developers live closer to the
| application and presentation layers, and there's resistance
| to learning technologies that involve HTTP connection
| management e.g. in nginx (not to say that there are none of
| these, there are just fewer of us). WS was at the right
| place at the right time with a good high-level interface
| available to the client, and gained traction because of
| this.
| kalium-xyz wrote:
| Webrtc, plain requests, and side channels involving streams
| SmallPeePeeMan wrote:
| Native applications.
| LunaSea wrote:
| Native applications have orders of magnitude more access to
| your system than a website has.
| rpastuszak wrote:
| This isn't a loaded question, but how come people
| (especially the people here) don't know that?
| SmallPeePeeMan wrote:
| the real question is: Why do people write websites to
| behave more and more like native apps? In order to
| prevent a client-side install?
|
| For applications that want special access to my machine,
| there SHOULD be a barrier to entry or inconvenience like
| a client-side installation.
| derefr wrote:
| > WebSockets ... haven't ever wanted to use those. Ever. For
| anything. For any reason.
|
| You've never used a web-app chat client?
|
| > WebBluetooth
|
| APIs like these don't exist for the sake of regular
| unprivileged web-apps. They exist for the sake of _browser
| extensions_ (or browser "apps", or apps within a browser-
| projector like Electron), specifically in order to be used to
| add driver-like or service-like capabilities to devices like
| Chromebooks where the browser is the OS.
| bcrosby95 wrote:
| Before websockets webapp chat features would use long
| polling. Not sure if all current ones require websockets or
| if they have a fallback mechanism.
| derefr wrote:
| Before websockets, webapp chat features--as implemented by
| your average web-backend programmer--couldn't pass the C10K
| challenge.
|
| Yes, fundamentally, on a technical level, there's not much
| difference between holding open an HTTP connection in long-
| polling, vs. holding open a websocket connection.
|
| But the _abstractions_ presented by webserver gateway
| interfaces (e.g. CGI, prefork process-per-connection
| language-module embeds), languages /web frameworks (e.g.
| Ruby on Rails), and platforms (e.g. Heroku) back then, just
| didn't support long polling efficiently.
|
| HTTP backends, back then, were all built on an assumption
| of _serialized queuing_ of HTTP requests--with each web
| server /web stack/worker thread serving requests one-at-a-
| time, getting each request out of the way as quickly as
| possible. There was no concept of IO asynchrony. Web
| servers were request loops, not event reactors. Libuv
| didn't exist yet; nginx didn't exist yet. The standard web
| server was Apache, and Apache couldn't "yield" from a
| request that was idle.
|
| And, as such, providers like Heroku would queue at the
| load-balancer, and only proxy a single open request to your
| web backend at a time, under the presumption that it
| wouldn't be able to handle concurrent load. So you had to
| pay for 2x the CPUs (e.g. Heroku "dynos") if you wanted to
| be able to hold 2x the connections open!
|
| Entire third-party businesses (e.g. https://pusher.com/)
| were built around the hosting of custom web servers that
| _were_ written in an event-driven architecture, and so were
| able to host these pools of long-polling connections. But
| they were freakin' _expensive_ , because even they didn't
| scale very well.
|
| Eventually, it was realized that the just-introduced
| Node.js could do IO asynchrony pretty well, and people
| started building explicit "websocket servers" in Node,
| culminating in the https://socket.io/ library. Back then,
| you couldn't just put your regular HTTP load-balancer in
| front of your websocket backend, because your regular HTTP
| load-balancer almost certainly didn't support held-open
| connections. You needed to host socket.io on a separate
| host/port, directly open to the internet. (This was one of
| the driving forces of Node's adoption: as long as you were
| putting a Node app directly on the Internet, you may as
| well just put the rest of your HTTP app in there as well,
| and make the "websocket backend" into your whole backend.)
|
| Sure, these days, every backend, load-balancer, and NAT
| middlebox can handle long-polling just fine. But we got
| there with a decade of struggle, and "legacy"-but-not-
| really code that used WebSockets because they guaranteed
| the semantics that long-polling couldn't.
|
| (I should mention, though, that WebSockets _still_ have
| some advantages in the modern environment; namely, idle
| WebSockets are _known_ to be idle at the runtime level, and
| so, unlike with a long-polling HTTP request, a mobile
| device can relax its wakeup-timer intervals when the only
| network connections it's holding open are idle WebSockets.)
| upofadown wrote:
| >You've never used a web-app chat client?
|
| BOSH? Awkward, but it works without websockets.
|
| * https://en.wikipedia.org/wiki/BOSH_(protocol)
| neurostimulant wrote:
| > You've never used a web-app chat client?
|
| A decade ago people use comet for this, with php and apache!
| Every single ongoing comet connection occupy an apache
| process, a significant resource hog, yet people still use it
| because they have no other choice. These days we have
| websocket but I bet comet can be implemented with minimal
| resource penalty these days thanks to proliferation of async
| webserver support in modern backend stacks.
| reaperducer wrote:
| _You've never used a web-app chat client?_
|
| Nope. Not once. And I've been using the web since Mosaic.
|
| I see business web sites offering to chat with me all the
| time. I ignore them. If I want to chat, I'll let you know.
|
| Apple's business-to-Messages thing works so well, I hope it
| puts the scammy webchat companies out of business.
| gsnedders wrote:
| > APIs like these don't exist for the sake of regular
| unprivileged web-apps. They exist for the sake of browser
| extensions (or browser "apps", or apps within a browser-
| projector like Electron), specifically in order to be used to
| add driver-like or service-like capabilities to devices like
| Chromebooks where the browser is the OS.
|
| That's not really true, though: they're part of the Chrome
| team's belief in not limiting the capabilities of the web as
| a platform for app development (on the basis of "if you lack
| one feature the app needs, the entire app ends up native").
| This is a large part of Project Fugu:
| https://developers.google.com/web/updates/capabilities
| [deleted]
| u801e wrote:
| > Firefox also seemingly blocks access to 192.168/24 and 10/8.
|
| What about 172.16.0.0/12?
| pdonis wrote:
| It blocks that too on my machine.
| baybal2 wrote:
| We are in ActiveX 2.0 era. Can we call it GoogleX?
| fxtentacle wrote:
| Web browsers really are the new operating systems.
|
| Chrome OS was far ahead of its time, both in its general user
| hostility and in its excessive resource consumption for
| seemingly mundane tasks. Like when your roommate's YouTube
| streaming makes your Excel-like app horribly slow, because your
| new spreadsheet app needs high-speed internet for no obvious
| reason.
|
| BTW, WebRTC and WebAssembly were great for crypto mining
| trojans embedded into ads. Before, they had to port their
| crypto miner to JavaScript by hand. By now, you can just cross-
| compile it. The progress of technology ... helps only the
| technology, but not you, the disposable user in front of the
| screen :p
| giantrobot wrote:
| Hey, refID af64e30y, get back to looking at ads while your
| browser mines cryptocoins! We'll be watching!
| typ wrote:
| Strictly speaking, it is more like the _shell_ of the
| distributed operating system.
| Minor49er wrote:
| Which is also funny because, if I remember correctly, IE
| was deeply integrated into Windows Explorer and the desktop
| was essentially rendered by the browser. I remember being
| able to even change my wallpaper to a custom HTML page in
| Windows
| detaro wrote:
| > _Before, they had to port their crypto miner to JavaScript
| by hand_
|
| No, cross-compilers to JS are and were thing too, and were
| used by cryptominers.
| fxtentacle wrote:
| Yes, but before webrtc they were easy to block.
| detaro wrote:
| What do cryptominers need WebRTC for?
| fxtentacle wrote:
| To connect to arbitrary IPs and ports to send home the
| results of the calculations.
| zlsa wrote:
| Which can be done with HTTP as well.
| fxtentacle wrote:
| Yes, but that is A LOT easier to filter and detect,
| because then it'll be using the XHR API and HTTP
| protocol, whereas WebRTC allows free-form protocols.
| TomMarius wrote:
| You can't cross compile anything other than crypto miners or
| how does it not help anything else?
| fxtentacle wrote:
| Most of the other uses are pointless.
|
| I don't need WebRTC for chat, because IRC is still working
| just fine.
|
| I don't need WebRTC for video calls, because Skype is still
| working just fine.
|
| I don't need WebRTC and WebAssembly for online gaming,
| because I have Steam to install games locally. Plus latency
| and performance of games emscripten-ed to wasm tends to be
| atrocious.
|
| So the only uses where I have seen the new Web* APIs in my
| life was obnoxious ads and newspaper websites trying to
| shove recommendations and notifications into my face.
|
| What would you want to cross-compile that couldn't be done
| much better by building a proper local app?
| fxtentacle wrote:
| Plenty of downvotes, but no productive suggestion of what
| use-case would be best served with WebRTC ...
| seangrogg wrote:
| WebRTC enables many of these things on the browser. That
| is the point. So your "I don't need WebRTC because I use
| native apps" is basically just "I don't need the internet
| because I can go next door to talk to my neighbors".
|
| Just because something doesn't have value for you does
| not suggest it does not have value, period.
| fxtentacle wrote:
| Almost. I'd say my argument is "I don't care about an
| online egg retailer shipping from China, because using
| the local supermarket is better in every way."
|
| And obviously, Skype and IRC use the internet, too. So
| what is the benefit to me - the user - of "Skype inside
| web browser" over "Skype separate of web browser"?
|
| I understand that WebRTC makes "Skype inside web browser"
| possible, but it also makes a lot of less desirable
| behavior possible. So there is be a trade-off between the
| advantages and the risks from adding WebRTC.
|
| Which benefit does WebRTC generate for the user? I.e. why
| is it a good thing that web browsers added this?
| TomMarius wrote:
| That's just a matter of browser software. The Web
| platform should not suffer just because the browser is
| imperfect. You can write your perfect browser, fairly
| easily with the libraries available. I will try when I
| have some time.
| coribuci wrote:
| > Plenty of downvotes, but no productive suggestion of
| what use-case would be best served with WebRTC ...
|
| Worms. Todays web browser are like MS office 15 years
| ago. A disaster waiting to happen.
| jackewiehose wrote:
| There is media.peerconnection.enabled in about:config. When set
| to false, WebRTC doesn't work but I'm not sure if there isn't
| anything left active.
|
| Also uBlock has an option "Prevent WebRTC from leaking IP
| adresses".
|
| WebRTC should be disabled by default or firefox should ask
| explicitly like with webcam-access.
|
| There have already been reports where sites use your browser as
| a peer in a P2P-network (without your consent). This can be
| really problematic depending on where you live.
| basro wrote:
| Browsers no longer leak local ip addresses, there's a new
| feature that uses mDNS instead of local ips.
| jimmaswell wrote:
| > Prevent WebRTC from leaking IP adresses
|
| A local IP?
| Cactus2018 wrote:
| FYI about these two websites that demonstrate the various
| data your browser shares:
|
| https://browserleaks.com/
|
| https://webkay.robinlinus.com/
| Reelin wrote:
| Yes, oddly enough. It can be used by a website you visit to
| gain information about your local network which turns out
| to be incredibly effective for fingerprinting.
| fr2null wrote:
| WebRTC can also leak your IP when you're hiding behind a
| VPN.
| hanniabu wrote:
| Any way to stop that?
| homami wrote:
| How does it work in practice? It seems in Chrome these errors
| cannot be caught try-catch blocks. try {
| var socket = new WebSocket('ws://localhost:808'); }
| catch (ex) { console.log(ex) // control does not reach
| here }
| mdouglass wrote:
| It probably fires as an async error, I'd expect this would log
| it (if inserted at the end of the try block):
| socket.onerror = (...args) => console.log('async error',
| ...args)
| homami wrote:
| socket.onerror event happens for both cases. But there does
| not seem to be any difference between the error object that
| is passed to the these handlers.
| 2011guy wrote:
| Best to keep a log of all scanning events...
| null4bl3 wrote:
| Now scanning for open ports I can do on Linux.
|
| But how would I go about monitoring which ports are being scanned
| on Linux?
|
| No tool doing this comes to mind
| skizm wrote:
| Is there a setting or something in either chrome or FF to block
| websites from being able to port scan you?
| upofadown wrote:
| Supposedly you can disable websockets in Firefox by setting
| network.websocket.max-connections in about:config to 0.
| TekMol wrote:
| When you do this: new
| WebSocket("ws://127.0.0.1:8080")
|
| An application listening on 8080 is indeed getting a packet
| delivered.
|
| Run this to see the packet: nc -lp 8080
|
| And the page can figure that out via the error returned.
|
| I wonder if that is in line with the same origin policy.
|
| On the other hand, maybe the same is possible by creating an
| image with src="http://127.0.0.1/hello.jpg" and looking at the
| onload/onerror event?
| cygx wrote:
| But note that a simple <img
| src="http://127.0.0.1:8080">
|
| should do so as well, ie this is just the newest iteration of
| an old problem that the major browser vendors never chose to
| properly address - with the exception of Opera, see eg this
| stackoverflow question [1] and corresponding answer from 2011.
|
| [1] https://stackoverflow.com/questions/5464599
| TekMol wrote:
| The page could never read the contents of the image, right?
|
| If the user has a web-socket-server running (for example
| because he is a developer) could the page read from it?
|
| Can a page read from _any_ web socket server on the internet?
| cygx wrote:
| _If the user has a web-socket-server running (for example
| because he is a developer) could the page read from it?_
|
| Only if that server chooses to accept the request, which it
| can decide based on the Origin header.
|
| Personally, I was more concerned with getting spurious
| requests on ports bound to 127.0.0.1 (which I've been using
| for IPC), but that issue already existed before the
| introduction of WebSockets.
|
| WebSockets of course do make things like port scanning
| easier, but as others have pointed out, you could already
| do that with a bit of ingenuity eg through tracking
| response times.
| 637474859 wrote:
| I've been port scanned myself...
| jolmg wrote:
| > Port Scanning is Malicious
|
| Though port scanning can be (and maybe even frequently is) done
| with malicious intent by looking for misconfigured/bugged
| servers, I disagree that it's inherently malicious. Port scanning
| is just about checking to see what services a host is offering
| you. It's like going to a random shop at a mall and asking what
| services they provide. Would asking about their services be
| malicious?
|
| It feels like the reason asking about services is considered
| malicious is because shops frequently give out info to the public
| that they shouldn't have. It's like:
|
| client: What services do you provide?
|
| shop owner: Well, I can provide you with a list of all my clients
| along with their personal information they entrusted to me.
|
| So, is the client being malicious for asking or is the shop owner
| the one that was in the wrong for mistakenly providing that info
| to the public?
|
| I feel the only reason we don't blame the shop owner is because
| even though he's the one that mistakenly discloses private info,
| sometimes he's just following a script written by a random
| programmer unassociated with him. Maybe the response was a
| mistake on the programmers part, maybe it was a mistake in how
| the shop owner used the script (a configuration error). In the
| end, it's simpler to blame the client for asking out-of-the-box
| questions (after all, most clients just come in to ask if you're
| giving out flyers/pamphlets because that's what everybody does)
| and so they don't feel responsible for the response that results.
|
| I can provide a shop that also offers things different than
| http(s) with open access to the public. It shouldn't be a
| crime/violation to ask me if I offer them.
| jrockway wrote:
| I think the dynamics of the Internet have shifted from the
| early days. Basically, HTTPS on port 443 is pretty much the
| only service that anyone intends to make publicly available.
| This is different from 30 years ago, when those same sites had
| HTTP, FTP, Gopher, a public Telnet server, a public NTP server,
| etc. and they wanted you to use them. It was very reasonable to
| look around back then, but nowadays anything that is available
| publicly is probably an accident.
| jolmg wrote:
| Exactly! And do we want to continue on that trend?
| Personally, I don't.
|
| I dislike the growing idea that HTTP is a core part of the
| internet, and not just the most popular part. The difference
| lies in if we're going to see legislation that dictates
| proper use of the lower networking layers like TCP/IP by
| stuff of the upper layers like HTTP. I'd really hate to see
| something along the lines of "it's illegal to use a TCP port
| unless it was specified as available to the public in some
| (possibly js-rendered) part of an HTTP response."
| jrockway wrote:
| I don't think it's worth getting caught up on which data
| framing protocol everyone is using. Everything that Gopher,
| IRC, FTP, etc. did are perfectly expressible as any other
| RPC protocol; these things were just RPCs before we
| invented the term RPC. Now we have protocols that can
| generically transport any RPC, and so we don't need to
| think about these things in terms of port numbers or
| running services.
| blablabla123 wrote:
| True, as if the browser is the only tool to access the
| Internet. Today with the much bigger security awareness it
| would be thinkable to allow file sharing over Internet or
| to fail-over to the neighbour's Internet uplink when the
| own DSL provider has a problem. All these things become
| increasingly difficult. (Actually Bruce Schneier was once
| writing on his blog that he has an open Wifi at home)
| Cakez0r wrote:
| I think it's a bit more like going on to a shop and trying to
| open all the doors, cupboards and drawers to see which ones are
| locked ;)
| jolmg wrote:
| That's a bad analogy. It wrong because you can see what
| doors, cupboards and drawers are available for the public.
| Doors that are in-reach but that shouldn't be used by the
| public have signs like "restricted access" or "employees
| only". You can't do that with the internet. You can't see
| that a port is not available to you until you try it.
|
| If you want to continue using that analogy, then you have to
| consider that everybody is blind and deaf, and checking to
| see what's locked is the _only_ way to know if something is
| available.
| jmchuster wrote:
| Hmm, then how about going to the changing room area and
| trying every door instead of waiting for the guy to tell
| you which one to go to?
| jolmg wrote:
| I made this edit to the post you replied to. You probably
| missed it:
|
| > If you want to continue using that analogy, then you
| have to consider that everybody is blind and deaf, and
| checking to see what's locked is the only way to know if
| something is available.
|
| About this:
|
| > instead of waiting for the guy to tell you which one to
| go to?
|
| How does that translate to TCP/IP? What is "the guy"
| representing? The way I see it, there is no guy.
| jmchuster wrote:
| The guy is you installing Steam to run on port 27036.
| AaronFriel wrote:
| Isn't that the wrong analogy?
|
| In this case, eBay is the shop, and I'm the customer. It's
| like walking into eBay and when I walk in I have to empty out
| all of my pockets and open my phone screen to show them that
| no one is telling me what to shop for (VNC).
| jolmg wrote:
| No, because of the existence of client-side scripting with
| javascript, it's actually eBay that's running on your
| computer acting as the customer toward the shop that's your
| computer. You're right that the end effect is similar to
| having to empty out your pockets, but the underlying issue
| of why they're able to do that is a whole 'nother can of
| worms.
| tjoff wrote:
| A server most definitely should not be looking at what random
| services a client has available.
| jolmg wrote:
| Sure, like I said:
|
| > Though port scanning can be (and maybe even frequently is)
| done with malicious intent
|
| I agree that it's wrong for eBay to be doing this. What I
| disagree with is specifically the statement "Port Scanning is
| Malicious".
| sedatk wrote:
| Port scanning is a brute force, over-reaching probing
| technique. A better analogy would be like visiting a shopping
| mall and trying to open every closed door you see, including
| the ones that say "authorized personnel only", "private", "do
| not enter" with an excuse like "I was trying to find out which
| shop was open".
| jolmg wrote:
| I answered an almost identical reply, here[1].
|
| > including the ones that say "authorized personnel only",
| "private", "do not enter"
|
| Basically, to answer you separately, an analogy like that
| doesn't represent TCP accurately. In your analogy, you can
|
| 1) _see_ from afar for visual cues indicating whether access
| is being given to you, and
|
| 2) try opening it.
|
| Your argument is that doing 2 is invasive, because they can
| do 1.
|
| However, in TCP, you can _only_ try to make the connection.
| _There is no see from afar._ If I give you an IP address,
| there 's no standard way for you to tell me whether FTP is
| available, without trying to connect to the port! That's your
| only choice!
|
| So, yes, "I was trying to find out which [service is
| available]" is a very valid reason.
|
| > Port scanning is a brute force, over-reaching probing
| technique.
|
| It certainly is brute-force, and that sucks. I think there's
| a network service / protocol called Portmapper/rpcbind[2]
| that lists the services available and port numbers they're
| on. I only know that NFS uses it, but nothing else. If that
| were standard, then I'd agree port scanning is over-reaching.
| As it stands, though, I don't consider it over-reaching when
| it's the only TCP mechanism to see what's available online.
|
| [1] https://news.ycombinator.com/item?id=23249246
|
| [2] https://en.wikipedia.org/wiki/Portmap
| superkuh wrote:
| Port scanning isn't malicious behavior. Port scanning is about
| equivalent to walking down the street and looking at the
| architecture of the buildings.
| pdonis wrote:
| Your analogy might apply to a port scanner running over the
| Internet and looking at what ports are open on Internet-facing
| servers. (Though I would still argue the analogy is flawed
| there: port scanning Internet-facing servers is more like going
| up to each locked door on the street and writing down what kind
| of lock it has, in case you want to try to pick it later.)
|
| But a port scanner running inside the browser on my local
| machine is equivalent to someone sneaking into my house and
| going through each room seeing what valuables are there.
| superkuh wrote:
| I agree. It's foolish to give websites permission to do that
| kind of thing. There's a very simple solution: don't give
| them permission. Turn off javascript. Yes, ebay will complain
| but it'll still work. The power is in your hands. No one is
| forcing you to use eBay either.
|
| Giving arbitrary websites the ability to run arbitrary code
| on your machine is just asking for trouble. It's like someone
| who opens and executes every email attachment they receive.
| Try out NoScript temp-whitelist only mode that blocks by
| default and requires manual permission giving.
| clarry wrote:
| > (Though I would still argue the analogy is flawed there:
| port scanning Internet-facing servers is more like going up
| to each locked door on the street and writing down what kind
| of lock it has, in case you want to try to pick it later.)
|
| I disagree, there is no security mechanism in port numbers.
| It's just a door that opens for you or not. Checking whether
| a door opens for you does in no way imply that you're perhaps
| planning a crime.
___________________________________________________________________
(page generated 2020-05-20 23:00 UTC)