![]() ![]() They just happened to use local web requests to externally trigger the Zoom application, because it's probably the most convenient to implement. However, I don't really see that as the fundamental problem with the Zoom web server. I do agree in principle that web browsers probably should not allow non-local web sites to make requests to local IP addresses. Heck, the system should try to detect you are on a window showing unsigned/unsafe content and paint something out of the frame (like coming from the top address bar) so you can easily identify it's legit (because a website shouldn't be able to print a portion of your screen outside of 'window'). However, you can only know for sure this isn't phishing if you try to cmd+tab and it is still there. Suddenly you see a prompt with your username and a password field matching your system's. For example, imagine you have to type your user password for a random update to complete, but you are browsing some website. Perhaps there could be an authorization request the user could allow (similar to how we got rid of the pop-ups) in the most natural way possible (we don't want to break intranets, for example).Īnother security-related bad pattern that annoys me is how some of this authorization stuff steal your focus making it impossible for you to ignore them (like, you cannot move to another tab before deciding to allow or not something).Īnother thing is how sometimes it is not completely clear if something is an element of a website or your browser or system. However, the benefits from these restrictions are great not to consider some sort of protection. There are legitimate reasons to open a webserver locally. I could also configure a CORS policy but we're talking about a service that used a trick to bypass this protection - and plus nobody knows how to set that up right anyway. Someone running Spotify in browser shouldn't have to worry about a malicious page hitting a potentially sensitive internal service.ĭoes it make any sense for me have to establish a VPN connection to my VPS for the sole purpose of giving it a private address so browsers will block it? Ew. So spin up a machine on my VPS account, give it a public address, and lock down the firewall to my office's address range. Say for example I run a web service that's private to my work's office. ![]() Does it make any sense that any website on the internet is allowed to hit any other site accessible by your machine that uses a public address? There is definitely a security boundary being crossed here. Running an internal network using public addresses isn't super common these days but isn't uncommon by any stretch. Etching away on one or two widely deployed corners of it won't fix the overall landscape, even if it may significantly reduce the change of "drive-by" exploitation through websites accessed through commonly used browsers.įirst, I think this is right and that websites shouldn't be able to hit any localhost or private address spaces.īut this leads to a bigger question, what makes private address space special? Not really all that much. an OAuth callback endpoint), while also keeping in mind that users from all walks of life are, perhaps unbeknownst to them, are managing LANs of computing devices running dozens of servers, often with modern encryption such that communications between the program and the remote server are becoming harder to intercept and oversee, and lack a comprehensive capability to monitor, analyze, blacklist, whitelist, or snipe traffic in a way that's not cumbersome or borderline user-hostile. ![]() īut consider that legitimate uses of cross-domain requests to localhost exist (e.g. This isn't necessarily an excuse to not explore mitigations through consensus in future browser behavior - after all, that process of loose but eventual consensus of incremental UX and airquote "security" improvements is how SOP and CORS and C-S-P came about and the cookie saga evolves. Awareness of it is spreads for a while whenever high-profile events receive media and blog coverage, and perhaps the exploitability of this has increased compared to several years ago when products that opened up various HTTP-accessible servers were less common (or secured by obscurity). This complaint is real cute, but the trite answer is that this is how things have worked for a long time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |