top | item 23263857

(no title)

toupeira | 5 years ago

Oh well. I ended up adding these rules to uBlock Origin, suggestions for improvement welcome:

    ||localhost^$important,third-party
    ||127.*^$important,third-party
    ||10.*^$important,third-party
    ||192.168.*^$important,third-party
    ||172.16.*^$important,third-party
    ||172.17.*^$important,third-party
    ||172.18.*^$important,third-party
    ||172.19.*^$important,third-party
    ||172.20.*^$important,third-party
    ||172.21.*^$important,third-party
    ||172.22.*^$important,third-party
    ||172.23.*^$important,third-party
    ||172.24.*^$important,third-party
    ||172.25.*^$important,third-party
    ||172.26.*^$important,third-party
    ||172.27.*^$important,third-party
    ||172.28.*^$important,third-party
    ||172.29.*^$important,third-party
    ||172.30.*^$important,third-party
    ||172.31.*^$important,third-party

discuss

lstamour|5 years ago

That won’t help if someone sets up public DNS to point to localhost or 127.0.0.1 though. Unless you check after DNS is resolved?

It’s also possible someone might bind to an IPv6 address.

Better to rely on fixes mentioned elsewhere for web socket servers running on the local machine, including inserting a secret key into web socket path or query param, ensuring the web socket validates the path or query, and ensuring there are no web socket endpoints that could be used to get the secret from the websocket when not passed in. (Like an index of paths.) The Node debugger is mentioned elsewhere here as an example and cautionary tale.

Paranoid folks could maybe trick their everyday browser into never connecting to localhost via various means, and there’s an argument that websockets deserve localhost third-party restrictions or prompts, but if I were an attacker, publishing a malicious package via the web is significantly easier and higher value. Also, websockets require JS so disabling JS is another workaround. But then the site could encourage you to enable it for other reasons...

toupeira|5 years ago

Thanks, I was aware of the DNS rebinding possibility but not sure how to best protect against that. I'm also less worried about websockets and other things that I know are running on my machine, but more about all the other random devices floating around in my network.

What I really want is a way to block (by default) all connections to my local network from websites outside of my network, like a firewall.

It amazes me that browsers just allow this, this should require a permission prompt.

ju-st|5 years ago

https://en.wikipedia.org/wiki/DNS_rebinding

benibela|5 years ago

I have even pointed various webpages to 127.0.0.1

When I do not want the browser to access somedomain.com, I redirect somedomain.com to 127.0.0.1 in my hosts file