Google Chrome new f...
 
Notifications
Clear all

Google Chrome new feature will block attacks against home networks and local subnets

1 Posts
1 Users
0 Likes
202 Views
Brandon Lee
(@brandon-lee)
Posts: 543
Member Admin
Topic starter
 

Cool new feature will help protect home networks:

Google is developing a new security feature aimed at blocking harmful websites from using a visitor's browser as a gateway to launch attacks on private network devices and services, such as home printers or routers.

In simpler terms, Google's initiative is to safeguard users' internal devices, which are generally considered secure because they aren't directly accessible over the internet and are shielded by a router, from online threats.

Google explains the concept in a support document: The goal is to stop harmful websites from exploiting the browser's network access to target devices and services on a user's local network or personal computer, which are presumed to be safe from internet-based attacks.

Introducing "Private Network Access Protections" This upcoming feature, set to debut in Chrome version 123 in a "warning-only" mode, will perform checks when a public website attempts to make the browser connect to a site within the user's private network.

These checks will determine whether the request originates from a secure environment and will include a preliminary inquiry to ascertain if the targeted private site approves of being accessed by a public site through a process known as CORS-preflight requests.

This feature, unlike current protections that focus on subresources and web workers, specifically targets navigation requests to better protect private networks from external threats.

Google provides an example of how this feature could prevent an attack: A public website uses an HTML iframe to execute a CSRF attack that alters the DNS settings of a visitor's router within their local network.

Google is developing a feature to shield users from attacks by malicious websites targeting devices on private networks, such as home routers or printers. This feature, aimed at preventing such websites from using a user's browser as a pivot point for attacks, is detailed in a support document by Google.

The "Private Network Access protections" will be introduced in Chrome 123 in a "warning-only" mode. This feature will perform checks when a website attempts to make a browser access another site within the user's private network. It includes verifying the security of the request's context and sending an initial CORS-preflight request to the targeted site within the private network, assessing if access from a public website is permitted.

Google's initiative focuses on navigation requests, unlike existing protections that apply to subresources and workers. It aims to protect private networks by preventing unauthorized requests from public websites.

In the proposed mechanism, when a browser tries to connect to an internal device on behalf of a public site, it first sends a preflight request. If the internal device does not respond, the connection attempt is blocked. Should the device respond, it can signal permission through the 'Access-Control-Request-Private-Network' header, allowing or denying the request based on whether it explicitly authorizes the connection.

During the initial warning phase, failed checks result in warnings in the DevTools console rather than blocking, offering developers a grace period to make necessary adjustments. Google notes a potential loophole where blocked requests might proceed upon automatic browser reload, as such reloads are treated as internal network interactions. To counteract this, Google suggests preventing automatic page reloads if a request was previously blocked by the Private Network Access feature, ensuring the protection of users' private networks from external threats.

New Google Chrome feature blocks attacks against home networks (bleepingcomputer.com)

 
 
 
 
Posted : 17/02/2024 4:47 pm