Article 5V02D New Chrome security measure aims to curtail an entire class of Web attack

New Chrome security measure aims to curtail an entire class of Web attack

by
Dan Goodin
from Ars Technica - All content on (#5V02D)
Chrome-Getty-800x533.jpg

Enlarge (credit: Getty Images)

For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.

Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the private network of the person visiting the site. For the time being, requests that fail won't prevent the connections from happening. Instead, they'll only be logged. Somewhere around Chrome 101-assuming the results of this trial run don't indicate major parts of the Internet will be broken-it will be mandatory for public sites to have explicit permission before they can access endpoints behind the browser.

The planned deprecation of this access comes as Google enables a new specification known as private network access, which permits public websites to access internal network resources only after the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header Access-Control-Request-Private-Network: true. For the request to be granted, the browser must respond with the corresponding header Access-Control-Allow-Private-Network: true.

Read 8 remaining paragraphs | Comments

index?i=RUXJne7FOA8:oEFzafgbX5I:V_sGLiPB index?i=RUXJne7FOA8:oEFzafgbX5I:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments