@Gargron okay but "Port Scanning is Malicious" yeah nnnno.

@halcy No, seriously, a random web page being able to fingerprint me based on which programs I'm running is not cool

@Gargron it's literally just connecting to every port that you are about and seeing if the computer on the other side replies back

the real issue here is why is a random ass website allowed to open websockets to localhost

@halcy Exactly

I don't think the author necessarily meant server port scanning was malicious

Although it is often used to find vulnerabilities so it kind of is

@halcy @Gargron because reasons?
I remember that js is given no info whatsoever (and especially no status codes) with exact reasoning to disallow port scanning but as article says they still use timing

@charlag @halcy Well, unless you're a developer, and most likely unless you're also on a localhost page in the browser, I don't think you would ever legitimately want to connect to a localhost websocket. It's strange that it's allowed.

@Gargron @halcy true, it makes no sense even for webrtc because it's... well.. localhost.
It can also scan things in your network which is maybe even more fun

@halcy @Gargron I'd imagine there's a great many services that don't expect anything to send HTTP requests to them on their localhost TCP ports that would crash or do something unexpected

@Gargron ideally I don't ever slip up like this, but if I leave my bank website open when I start screensharing I definately want it to log me out.

@Gargron Any idea what browser extension would block this behaviour? doesn't seem to...

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!