@Gargron okay but "Port Scanning is Malicious" yeah nnnno.

@halcy No, seriously, a random web page being able to fingerprint me based on which programs I'm running is not cool

@Gargron @halcy block 127.0.0.1 on your browser (with something like uBlock origin)

@nino @Gargron sure, I have absolutely no problem figuring out how to stop that, but _why is it browser default policy to allow websocket connections to private ip ranges_ like that's absolutely crazy to me. shouldn't some kind of same origin policy prevent this in general

@halcy @Gargron yeah I agree, I don’t understand how it’s possible in the first place.

@halcy @nino @Gargron Same, the only times I've seen where you are supposed to make connections to localhost is Musicbrainz. Otherwise there's no reason to disallow it in CORS.

@Gargron it's literally just connecting to every port that you are about and seeing if the computer on the other side replies back

the real issue here is why is a random ass website allowed to open websockets to localhost

@halcy Exactly

I don't think the author necessarily meant server port scanning was malicious

Although it is often used to find vulnerabilities so it kind of is

@halcy @Gargron because reasons?
I remember that js is given no info whatsoever (and especially no status codes) with exact reasoning to disallow port scanning but as article says they still use timing

@charlag @halcy Well, unless you're a developer, and most likely unless you're also on a localhost page in the browser, I don't think you would ever legitimately want to connect to a localhost websocket. It's strange that it's allowed.

@Gargron @halcy true, it makes no sense even for webrtc because it's... well.. localhost.
It can also scan things in your network which is maybe even more fun

@halcy @Gargron I'd imagine there's a great many services that don't expect anything to send HTTP requests to them on their localhost TCP ports that would crash or do something unexpected

@Gargron

Whether the port scan is used as part of an infection or part of e-commerce or bank "security checks", it is clearly malicious behavior and may fall on the wrong side of the law.

the people who wrote this never used irc ? 🙂

@Gargron ideally I don't ever slip up like this, but if I leave my bank website open when I start screensharing I definately want it to log me out.

@Gargron Any idea what browser extension would block this behaviour? doesn't seem to...

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!