undefined | Better HN

0 pointsgsnedders6y ago0 comments

To add more about why current browsers don't do this:

One is clearly that you need to communicate the requesting IP deep enough into the network stack to the point where you get the DNS response (if there is one), which means there's a fair bit of work to ensure this is done everywhere;

Another is it's known to break corporate websites (https://internal.bigcorp.com/ on a public IP expecting to be able to access private IPs on their intranet), and smaller browsers are reluctant to lose corporate users by changing long-standing behaviour;

Then there's the WebRTC question: if two users on the same local network start a WebRTC call, do we want all this traffic to go to via first point where the public IP is known? For the majority of users the answer is no. And as long as that's possible, there's a (very limited) means of local communication. (But if it's limited to only things that respond to the WebRTC handshake, we're already in a much better place!)

0 comments

14 comments · 3 top-level

vbezhenar6y ago· 8 in thread

In Kazakhstan we have e-government website. This website allows users to use crypto-tokens to access government services (every citizen can get a digital certificate representing his identity).

This website used to run Java applet. This applet was signed and it could access restricted APIs to access USB device. So website talked to applet and applet talked to USB device to sign data.

After major web browsers disabled Java applets, they implemented another approach. Now user must install a software which runs a web server on 127.0.0.1. This webserver listens on a specific port and uses web socket to communicate.

So government website now uses JavaScript to connect to 127.0.0.1:12345 using websocket. And then it uses that connection to interact with USB device.

So an ability for external website to connect to 127.0.0.1 actually is essential for this use-case.

My guess is that there are plenty of other websites which use local web server to interact with locally installed software. I know at least one another such a website: Blizzard website. It runs web server in its game launcher and website can communicate with it.

PS also they have to install custom trusted certificate because browser requires wss from https and there's no easy way to get a legitimate certificate for that kind of use.

geofft6y ago

Since these use cases already require having software installed on your machine, it seems fine and safer to use a browser extension with native messaging for this:

https://developer.chrome.com/extensions/nativeMessaging

https://wiki.mozilla.org/WebExtensions/Native_Messaging

That bypasses the entire certificate question and lets the website know it's communicating with exactly this app and not something happening to listen on the port (and vice versa, too).

... Or, depending on what you're doing, just use a real desktop app, perhaps with an embedded browser.

vbezhenar6y ago

Yep, that might work. But that would require significantly more work to support all browsers and platforms. Currently it's just a Java application and it works independently of OS or browser.

justinclift6y ago

> So government website now uses JavaScript to connect to 127.0.0.1:12345 using websocket.

It sounds like random other websites (Ebay, etc) would be able to interact with people's USB devices this way too. Maybe without people knowing?

_nalply6y ago

Yes, if this is programmed badly (missing security or a security hole).

The browser connecting to the government website accesses two servers: the original one and the second local one you install yourself on your system. The local server runs natively and therefore can access the USB device. Like all servers it should be programmed such that misuse by hackers is prevented.

1 more reply

vbezhenar6y ago

When JavaScript establishes websocket connection, it sends its origin URL (I don't remember exactly where, probably that's in Referer header). So local webserver can deny connections from unwanted websites.

ThePowerOfFuet6y ago

The app running on localhost using WSS is not why they want[ed?] you to install a custom CA certificate.

https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

vbezhenar6y ago

No, that's not true. They used different certificate to MITM connections.

closeparen6y ago

There's no need to roll your own hardware integration for crypto tokens. Browsers have been able to do PKCS#11 client certificates from smart cards for a long time, in case WebAuthN / U2F are too modern for you.

loeg6y ago· 3 in thread

Outside of DNS, the other reasons are about local networks, not 127.0/8. There's no good reason to permit port-scanning 127.0/8.

nucleardog6y ago

So remove "port scanning" since the only difference between port scanning and "legitimate" connection attempts is rate.

Should websockets be able to connect to the local machine?

In some cases that could be useful (even if something the kinds of people visiting this site might be uncomfortable with). E.g., a local daemon that listens for a websocket connection and a public web page that's used for managing it.

I don't think it was implemented this way, but think something like Battlefield 3's matchmaking: the user visits the online service and finds a match to join, and when they want to join it passes the relevant information to the game via websocket.

I imagine stuff like this has been implemented in at least a couple cases that you'd break just wholesale blocking connections to 127/8.

neop1x6y ago

It can ask user explicitly like it asks for microphone. It is not common for a website page to need access to the local network services as it is to record microphone or request location data. So it's browser fault IMO.

gsneddersOP6y ago

Still need to know where the top-level page is loaded from, though: you do want to allow requests from 127/8 to "localhost".

csagan56y ago

In Chromium it might not be blocked just because of an oversight (or because there was no consensus), see my other comment (and its parent): https://news.ycombinator.com/item?id=23253264

j / k navigate · click thread line to collapse

0 comments

14 comments · 3 top-level

vbezhenar6y ago· 8 in thread

In Kazakhstan we have e-government website. This website allows users to use crypto-tokens to access government services (every citizen can get a digital certificate representing his identity).

This website used to run Java applet. This applet was signed and it could access restricted APIs to access USB device. So website talked to applet and applet talked to USB device to sign data.

So government website now uses JavaScript to connect to 127.0.0.1:12345 using websocket. And then it uses that connection to interact with USB device.

So an ability for external website to connect to 127.0.0.1 actually is essential for this use-case.

PS also they have to install custom trusted certificate because browser requires wss from https and there's no easy way to get a legitimate certificate for that kind of use.

geofft6y ago

Since these use cases already require having software installed on your machine, it seems fine and safer to use a browser extension with native messaging for this:

https://developer.chrome.com/extensions/nativeMessaging

https://wiki.mozilla.org/WebExtensions/Native_Messaging

That bypasses the entire certificate question and lets the website know it's communicating with exactly this app and not something happening to listen on the port (and vice versa, too).

... Or, depending on what you're doing, just use a real desktop app, perhaps with an embedded browser.

vbezhenar6y ago

Yep, that might work. But that would require significantly more work to support all browsers and platforms. Currently it's just a Java application and it works independently of OS or browser.

justinclift6y ago

> So government website now uses JavaScript to connect to 127.0.0.1:12345 using websocket.

It sounds like random other websites (Ebay, etc) would be able to interact with people's USB devices this way too. Maybe without people knowing?

_nalply6y ago

Yes, if this is programmed badly (missing security or a security hole).

1 more reply

vbezhenar6y ago

ThePowerOfFuet6y ago

The app running on localhost using WSS is not why they want[ed?] you to install a custom CA certificate.

https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

vbezhenar6y ago

No, that's not true. They used different certificate to MITM connections.

closeparen6y ago

loeg6y ago· 3 in thread

Outside of DNS, the other reasons are about local networks, not 127.0/8. There's no good reason to permit port-scanning 127.0/8.

nucleardog6y ago

So remove "port scanning" since the only difference between port scanning and "legitimate" connection attempts is rate.

Should websockets be able to connect to the local machine?

I imagine stuff like this has been implemented in at least a couple cases that you'd break just wholesale blocking connections to 127/8.

neop1x6y ago

gsneddersOP6y ago

Still need to know where the top-level page is loaded from, though: you do want to allow requests from 127/8 to "localhost".

csagan56y ago

In Chromium it might not be blocked just because of an oversight (or because there was no consensus), see my other comment (and its parent): https://news.ycombinator.com/item?id=23253264

j / k navigate · click thread line to collapse