Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Network The Internet

Brave Aims To Curb Practice of Websites That Port Scan Visitors (arstechnica.com) 49

An anonymous reader quotes a report from Ars Technica: The Brave browser will take action against websites that snoop on visitors by scanning their open Internet ports or accessing other network resources that can expose personal information. Starting in version 1.54, Brave will automatically block website port scanning, a practice that a surprisingly large number of sites were found engaging in a few years ago. According to this list compiled in 2021 by a researcher who goes by the handle G666g1e, 744 websites scanned visitors' ports, most or all without providing notice or seeking permission in advance. eBay, Chick-fil-A, Best Buy, Kroger, and Macy's were among the offending websites.

Some sites use similar tactics in an attempt to fingerprint visitors so they can be re-identified each time they return, even if they delete browser cookies. By running scripts that access local resources on the visiting devices, the sites can detect unique patterns in a visiting browser. Sometimes there are benign reasons a site will access local resources, such as detecting insecurities or allowing developers to test their websites. Often, however, there are more abusive or malicious motives involved.

The new version of Brave will curb the practice. By default, no website will be able to access local resources. More advanced users who want a particular site to have such access can add it to an allow list. The interface will look something like the screenshot displayed [here]. Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources. Additionally, the browser will include an allow list that gives the green light to sites known to access localhost resources for user-benefiting reasons.
"Brave has chosen to implement the localhost permission in this multistep way for several reasons," developers of the browser wrote. "Most importantly, we expect that abuse of localhost resources is far more common than user-benefiting cases, and we want to avoid presenting users with permission dialogs for requests we expect will only cause harm."

"As far as we can tell, Brave is the only browser that will block requests to localhost resources from both secure and insecure public sites, while still maintaining a compatibility path for sites that users trust (in the form of the discussed localhost permission)" the Brave post said.
This discussion has been archived. No new comments can be posted.

Brave Aims To Curb Practice of Websites That Port Scan Visitors

Comments Filter:
  • by caseih ( 160668 ) on Thursday June 29, 2023 @08:05PM (#63645162)

    I guess I'm living under a rock because I've not heard of this insidious behavior before. Is there anything I can add to Firefox to block this? Will firefox add a control to allow or disallow localhost ws connections?

    • Same here. How does that even work? Server side script parsing Apache logs and running nmap on collected IPs?
      • by Arnonyrnous Covvard ( 7286638 ) on Friday June 30, 2023 @01:25AM (#63645576)
        Web sockets are not bound by the same-origin policy. You can literally have a script on your web site which connects to arbitrary IP addresses and ports from the client's browser. The only hurdle is that the socket can not be used by the script if the server on that address and port doesn't respond with the web socket protocol. That is not sufficient protection against port scans, and any web socket service you may have on your LAN is fair game anyway, for any website that can run scripts in your browser (that includes ad scripts). This feature brought to you by the same idiots who thought that web sites need to know how much battery you have left and many more stupid information leaks.
      • by arglebargle_xiv ( 2212710 ) on Friday June 30, 2023 @03:06AM (#63645648)

        And as an add-on, WTF would any browser ever allow this by default?

        Random malware: "Hi, I'd like to port-scan your internal network"
        Browser: "Sure, go right ahead, and let me know if you need any help"

        • by AmiMoJo ( 196126 )

          Javascript could already establish HTTP/HTTPS connections to arbitrary IP addresses. So can HTML for that matter. Malware would use HTML that tried to load known image files from popular and vulnerable consumer routers, using the default IP address (usually 192.168.0.1) and then use Javascript to see if any of the images loaded.

          WebSockets are just a lightweight alternative to HTTPS for transferring data to "live" websites that update their content via Javascript. Think chat apps like Discord, weather and tr

    • by rmdingler ( 1955220 ) on Thursday June 29, 2023 @08:19PM (#63645200) Journal

      Port Authority for Firefox blocks websites from using javascript to port scan your computer/network.

      Since this defense has been available for a couple of years, is there any insidious effort afoot by the port jackers to circumvent?/p?

      • by caseih ( 160668 )

        Thanks for the tip. I've immediately installed it. It seemed to alert me and block the attempt by ebay to run the nexislexis port scan so that's good.

        I don't think there's anything new. Just that Brave is baking blocking right into their browser so no add-ons are required.

        • by AmiMoJo ( 196126 )

          Have you found that eBay still works? I find it's okay with uBlock Origin blocking its port scans.

          The only websites I've found to consistently break with privacy enhancements are airline sites. Fortunately I don't need to use them very often.

      • by RitchCraft ( 6454710 ) on Thursday June 29, 2023 @09:02PM (#63645254)

        uBlock Origin has been port scan blocking since 2020. https://www.bleepingcomputer.c... [bleepingcomputer.com]

        • by caseih ( 160668 )

          Good to know. Port Authority still reported an attempt, though, when I visited E-bay.

        • by arglebargle_xiv ( 2212710 ) on Friday June 30, 2023 @03:15AM (#63645668)

          uBlock Origin blocks known scripts that do the scanning, not the scanning itself. Port Authority looks for attempts to interact with Lexis Nexus and blocks scripts based on that behaviour. I don't think either of them block scanning in general.

          If anyone knows of an extension that does do this, or if any Firefox developers who aren't busy working on the next all-important UI refresh are reading this (if there are any, that is), let the world know.

          • by nmb3000 ( 741169 ) on Friday June 30, 2023 @12:30PM (#63646674) Journal

            uBlock Origin blocks known scripts that do the scanning, not the scanning itself.

            Yes and no. A new privacy filter was added around a year ago [reddit.com] specifically to block intrusion into the local LAN (see the filter here [github.com]). It can be enabled under:

            uBlock Settings > Filters > Privacy section > Block Outsider Intrusion into LAN.

            I haven't tested it (this issue just having come to my attention, like many others), but it seems like it should block all requests, including WebSockets (used for port scanning). You'll probably have to disable uBlock when on some LAN-hosted pages (like Plex or NAS or router config, etc) or things may break. There are tips in that Reddit thread about unblocking specific hosts. I guess you could also add the $websocket filter option [adblockplus.org] to each entry in the privacy filter and save it as custom rules instead, so that it only blocks web sockets.

            • Thanks for that! Just enabled it (it's disabled by default) and tried a pile of LAN stuff, NVR, NAS, IP phone, WiFi APs, a pile of embedded systems devices, and all of them worked fine with it. So definitely worth enabling if you don't have it enabled already.
      • Port Authority for Firefox blocks websites from using javascript to port scan your computer/network...

        C'mon now. How about a golf clap for marketing.

        Seriously. Great name for that service. Heh.

      • by dargaud ( 518470 )
        Is there a technical reason why browsers need a port scanning function built-in ?!? It seems completely stupid. And, let me guess, the scan comes from localhost, so it bypasses many firewalls that'll block scans from outside, right ?
    • by cstacy ( 534252 )

      I guess I'm living under a rock because I've not heard of this insidious behavior before.

      Misread as "living under a root" (kit), but that's my reaction too. Most web sites are read off a CDN, anyway. And port scanning everybody who shows up? Sounds incredibly expensive. What web sites are doing this? Is it just some "dark web" sites for soliciting child porn drug murder cryptocurrency "tech support" via anyDex out of Pakistan?

  • Wow. Just wow. (Score:5, Insightful)

    by Baron_Yam ( 643147 ) on Thursday June 29, 2023 @09:52PM (#63645322)

    I was thinking these sites were running port scans against unique public IPs visiting them. But to see this is something they request your browser to do on their behalf, to do a port scan at your local system, and that ability is actually built in to your browser with no security?

    That's bananas. No web site script should ever be allowed to do ANYTHING other than send my in-window actions back to the web server unless a nice, big "pretty please" security box pops up requiring me to approve it.

    • Actually, all modern web browsers will block attempts to connect anywhere but the original website, with some exceptions (most notably, it will query the website requested to see if it is OK to allow a cross-site request from the original site).

      My guess is there is some sort of timing attack going on to detect the difference between a rejected connection and one that the browser blocks after it queries the site to see if it should be allowed. Or there is an indirect method such as referencing a url using a

      • Re:Wow. Just wow. (Score:5, Informative)

        by Tailhook ( 98486 ) on Thursday June 29, 2023 @11:07PM (#63645418)

        My guess is there is some sort of timing attack

        You don't need to rely on guesswork. The facts are that some browsers do indeed permit requests to 127.0.0.1 and other "local" addresses from JavaScript. Today. Not at some point in the distant past.

        Why? Various reasons, all bad. You can read about it in W3's documentation here [w3.org], where 127.0.0.0/8 is explicitly called out as an exception that browsers "may" consider "potentially secure," and thus allow requests, even if responses to those requests are not consumable by JavaScript due to SOP.

        If you're still not convinced, go to ports.sh [ports.sh] and test your browser now. If you're foolish enough to be using Firefox in 2023 you will discover that your browser can indeed scan your local ports for open services.

        So Baron_Yam's astonishment that this can occur in our day-in-age is not misplaced. There are indeed some browsers still demented enough to permit it.

        Also, if you haven't been running Brave as you're go-to browser for at least 2 years now you're a bonehead. Just so you know.

        • I suppose there is a valid case for browser JS communicating bidirectionally with desktop apps. For instance, being able to be already logged into a website and then sync auth credentials with a desktop app. (Discord seems to do the inverse of this for logging into their support website.) But, that said, it should definitely be opt-in. Especially if asshats like Lexis Nexis is anywhere near it.
        • Re:Wow. Just wow. (Score:5, Interesting)

          by mosch ( 204 ) on Friday June 30, 2023 @01:15AM (#63645556) Homepage

          Thank you for the pointer to ports.sh. At a quick glance, it looks like Brave, Safari, and Chrome did not allow the scan, but Firefox did.

          • Results from running https://ports.sh/full [ports.sh] on my Mac with latest browser versions and no blocking add-ons:

            Chrome Version 114.0.5735.198 (Official Build) (arm64) happily ran the scan in an incognito window, It found 4 open ports in the full 65,535 scan.

            Firefox Version 114.0.2 (64-bit) runs the scan but the webpage does not update, although the Developer Tools Console shows the scan running. It found no open ports. For the same ports that Chrome found open, FF console logs show as not open.

            Brave Versi
            • I always forget Safari exists ... Safari Version Version 16.5.1 (18615.2.9.11.7) ran the full scan, the webpage updates, and finds no open ports. The same four ports that Chrome shows as open, Safari console output logs as closed.
        • > If you're still not convinced, go to ports.sh [ports.sh] and test your browser now.
          > If you're foolish enough to be using Firefox in 2023 you will discover that your browser
          > can indeed scan your local ports for open services.

          Umm, I ran the script at ports.sh (after turning off NoScript) on my Mac's installed FF:

          TCP Port Scanner, Written in Go, Compiled to WebAssembly.
          Open Ports:
          Open:


          Got a whole lot of nothing - not sure what your talking about
          • One possibility is that you don't have any ports open on 127.0.0.1, or maybe you toggled on strict anti-fingerprinting options. I am just guessing, I have no direct knowledge of the matter.
          • Check the Javascript Console while the script is running. You will see the port scan, but in my case FF did not find the same open ports that Chrome found.
        • by Somanorg ( 28422 )

          If you're still not convinced, go to ports.sh [ports.sh] and test your browser now. If you're foolish enough to be using Firefox in 2023 you will discover that your browser can indeed scan your local ports for open services.

          Just tried ports.sh with both Chrome and Firefox and it came back with nothing. Chrome has Ad Block Plus running and Firefox not

        • by myrdos2 ( 989497 )

          If you're foolish enough to be using Firefox in 2023 you will discover that your browser can indeed scan your local ports for open services.

          I'm using Firefox 2023 and that website doesn't work. Sadly, a lot of my "I'm using Firefox" stories end that way these days...

      • Actually, all modern web browsers will block attempts to connect anywhere but the original website, with some exceptions (most notably, it will query the website requested to see if it is OK to allow a cross-site request from the original site).

        The cross-site restrictions are for shit like sharing cookies, http authorizations, etc. Nothing stops a site from actually hitting remote (or local) servers. It's just that auth context is kept separate. webrtc bits can also be particularly nasty for local fingerprinting.

  • Brave is a browser. It makes TCP connections to certain ports. It certainly isn't in charge of my firewall, nor does it have permissions to fuck around with it - nor could it, because my firewall doesn't reside on my desktop machine.

    So what the hell is Brave talking about? There's technically nothing they can do to "stop port scanning": whoever is doing the port scanning will be doing it against my internet-facing firewall, totally unbeknown to the Brave browser.

    As for fingerprinting me through port scannin

  • That's why Brave is and has been my browser of choice for about a year. its features are so well done that you rarely need third party extensions to get the main things.
  • I'm assuming they aren't blocking connections to localhost when that's the page origin. If so, that would make website development a lot harder.

    Either way, assuming these actually have a valid purpose, then blocking the request and making the user manually add a site to an allowlist so that the website won't break is entirely the wrong solution.

    A more user-friendly approach would be to show a dialog upon the first connection to localhost from a given site saying, "This website wants to connect to an applic

  • I've always hated it, always distrusted it. Disable it when I can.

    (Can't think of a concrete reason to hate node.js, but it bugs me in a suspicion-by-association way.)
  • Every time I have tried to use Brave, nothing works on any website I am trying to look at, and I don't have the patience to figure out the 18 things I need to enable to get it to work. Brave is essentially the same thing as disabling the web, which maybe is the right thing to do in the first place.

    • Brave has been my primary for about 4 years now, and I very rarely have any problems. I've never had to do any weird configuration to make things work.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...