TECH

Chrome will gain an advanced reinforcement against cyber attacks

For more than a decade, the Internet has remained vulnerable to a class of attacks that use browsers as a bridge to access routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.

Starting with Chrome version 98, the browser will start relaying requests when public websites want to access endpoints within the private network of the person visiting the website. For now, requests that fail will not prevent connections from happening. Instead, they will only be registered. Somewhere around Chrome 101 – assuming the results of this test run do not indicate that large parts of the internet will be broken – it will be mandatory for public websites to have explicit permission before they can access endpoints behind the browser.

The planned suspension of this access comes as Google enables a new specification known as private network access, which allows public websites to access internal network resources only after the websites explicitly request it and the browser grants the request. PNA communications are sent using the CORS protocol, or Cross-Origin Resource Sharing. Under the scheme, the public site sends a preflight request in the form of the new Access-Control-Request-Private-Network: true header. For the request to be granted, the browser must respond with the corresponding Access-Control-Allow-Private-Network: true header.

Network intrusion via browser...Until now, websites have, by default, the ability to use Chrome and other browsers as a proxy to access resources within the local network of the person visiting the website. While routers, printers or other network assets are often blocked, browsers – due to the need to interact with so many services – are, by default, allowed to connect to virtually any resource within the perimeter of the local network. This gave rise to an attack class known as CSRF, short for cross-script request forgery.

Such attacks have been theorized for over a decade and have also been carried out in the wild, often with significant consequences. In a 2014 incident, hackers used CSRFs to change DNS server settings for over 300,000 wireless routers.

The change caused compromised routers to use malicious DNS servers to resolve the IP addresses end users were trying to visit. Instead of visiting the authentic Google.com site, for example, the malicious server may return the IP address of a booby-trapped imposter site that the end user has no reason to believe is harmful.

Starting in version 98, if Chrome detects a private network request, a “verification request” will be sent in advance. If the preflight request fails, the final request will still be submitted, but a warning will be displayed in the DevTools issues panel.

“Any failed preflight request will result in a failed search,” wrote Google engineer Titouan Rigoudy and Google developer Eiji Kitamura in a recent blog post. “This can allow you to test whether your site would work after the second phase of our release plan. Errors can be diagnosed in the same way as warnings using the DevTools panels mentioned above.”

If and when Google is confident that there will be no mass outages, then verification requests will have to be granted.

mundophone