undefined | Better HN

0 pointsadastra228mo ago0 comments

Why though? What is the use case that demands this? It'd better be a real pressing need because the security risks are immense and obvious. This is a backdoor to every network firewall.

0 comments

johncolanduoni8mo ago

It’s more that it wasn’t prevented back when the web was first coming together, because security wasn’t on almost anyone’s minds at all. There wasn’t a hole added at some point; it’s just that browsers didn’t specifically block domains that resolve to public IPs from accessing domains that resolve to private IPs.

Realistically, it’s a backdoor to every network firewall that has existed for the entire era in which browsers were used in “secured” internal networks also connected to the internet. Everyone has either designed with it in mind, or gotten lucky that nobody tried to use it on them for like 30 years. I think it’s good to put away this footgun, but there’s no useful blame to assign here.

adastra22OP8mo ago

i thought it was prevented by standard browser cross-domain security checks. Thats why I'm so surprised.

johncolanduoni8mo ago

Requests that need a CORS preflight will fail with any browser from the last 20 years, yes. The private IP addresses are not any more vulnerable than `www.google.com` is from `www.notgoogle.com` for cross-origin policy (subdomain-sensitive policies have a small extra vulnerability). But you’re right that doing this kind of thing without nefarious intent is an insane edge case and it should be opt-in. People spray `Access-Control-Allow-Origin: *` like it’s DDT in the 50s and half ass security in general when it’s on an intranet, so an extra guardrail is still worth it.

psd18mo ago

I'm hazy on the details, but:

Home Assistant has a well-known public name that opens your local instance. On first access, you need to give it the name or ip of your instance, which is saved in browser storage. This supports deep links into your config from forum posts.

My mum also had a shitty D-Link wifi mesh device, which was packaged as an appliance. I cannot speak lowly enough about that garbage device, but then, I am not really the target market. iirc it had something similar; a public dns name for local appliance mgmt.

adastra22OP8mo ago

How is that the same thing? That is a DNS entry that resolves to an internal IP. That lets a user explicitly type a domain and get something internal. That wouldn’t allow cnn.com to ports scan my fridge.

psd18mo ago

No, it is not, or it would not work outside 192.168.

b3lvedere8mo ago

I remember Fritzbox devices doing the same. Wasn’t a real problem until someone actually hijacked the fritz.box domain.

j / k navigate · click thread line to collapse

0 comments

johncolanduoni8mo ago

adastra22OP8mo ago

i thought it was prevented by standard browser cross-domain security checks. Thats why I'm so surprised.

johncolanduoni8mo ago

psd18mo ago

I'm hazy on the details, but:

adastra22OP8mo ago

psd18mo ago

No, it is not, or it would not work outside 192.168.

b3lvedere8mo ago

I remember Fritzbox devices doing the same. Wasn’t a real problem until someone actually hijacked the fritz.box domain.

j / k navigate · click thread line to collapse