@Gargron okay but "Port Scanning is Malicious" yeah nnnno.

@halcy No, seriously, a random web page being able to fingerprint me based on which programs I'm running is not cool

@Gargron @halcy block on your browser (with something like uBlock origin)

@nino @Gargron sure, I have absolutely no problem figuring out how to stop that, but _why is it browser default policy to allow websocket connections to private ip ranges_ like that's absolutely crazy to me. shouldn't some kind of same origin policy prevent this in general

@halcy @Gargron yeah I agree, I don’t understand how it’s possible in the first place.

@halcy @nino @Gargron Same, the only times I've seen where you are supposed to make connections to localhost is Musicbrainz. Otherwise there's no reason to disallow it in CORS.

@Gargron it's literally just connecting to every port that you are about and seeing if the computer on the other side replies back

the real issue here is why is a random ass website allowed to open websockets to localhost

@halcy Exactly

I don't think the author necessarily meant server port scanning was malicious

Although it is often used to find vulnerabilities so it kind of is

@halcy @Gargron because reasons?
I remember that js is given no info whatsoever (and especially no status codes) with exact reasoning to disallow port scanning but as article says they still use timing

@charlag @halcy Well, unless you're a developer, and most likely unless you're also on a localhost page in the browser, I don't think you would ever legitimately want to connect to a localhost websocket. It's strange that it's allowed.

@Gargron @halcy true, it makes no sense even for webrtc because it's... well.. localhost.
It can also scan things in your network which is maybe even more fun

@halcy @Gargron I'd imagine there's a great many services that don't expect anything to send HTTP requests to them on their localhost TCP ports that would crash or do something unexpected


Whether the port scan is used as part of an infection or part of e-commerce or bank "security checks", it is clearly malicious behavior and may fall on the wrong side of the law.

the people who wrote this never used irc ? 🙂

@Gargron ideally I don't ever slip up like this, but if I leave my bank website open when I start screensharing I definately want it to log me out.

@Gargron Any idea what browser extension would block this behaviour? doesn't seem to...

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!