• AgreeableLandscape@lemmy.ml
    link
    fedilink
    arrow-up
    8
    ·
    3 years ago

    There is pretty much no legitimate reason that a site from the internet should access the local network.

    The only exception I’ve seen to this is Synology having a NAS finder webapp where it searches your local network for a Synology device and tells you the IP address. But that’s a tiny niche use case and there are other ways of finding it that doesn’t involve a website (the device broadcasts its identity and has a hostname FFS). Any open source IP scanner will find it instantly, or in many networks you can just type in the hostname into your browser like a domain.

  • X_Cli@lemmy.ml
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    3 years ago

    Being a network security specialist, I’ll ask these basic questions:

    • what’s the universal definition of a private network?
    • does this measure make sense in IPv6 within the global scope?
    • is it the responsibility of the browser to secure against DNS rebinding?

    My answers to these questions are:

    • there is no universal definition, so this approach is doomed by design
    • no
    • heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.
  • pinknoise@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    3 years ago

    It’s about time, attackers can extract quite a bit of data about the local network via the browser. It’s pretty easy to identify appliances and home routers given someone stays on a site long enough.