New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distinct private networks can attack each other #28
Comments
Oh, and link-local IPv4 addresses should of course also be reclassed as "local". |
Hi there, thanks for the feedback! Unpacking this a bit... I see you raise a few issues:
|
Let's say I set up a VM on my laptop for development of some webapp. To be able to access the VM's webserver from the host OS, I don't just give the VM NAT-based connectivity, but put the VM on a virtual network interface, let the host route The specified algorithm will then allow devices on the local network to interact with the webapp in the development VM. If the local network is untrusted, that may potentially be a small issue. As an example, see Chrome OS with Crostini. On the Pixelbook I have here, I can run an HTTP server inside the Crostini VM, and it shows up as
Yeah, dunno.
Ah, I'm not aware of any broader issues here. If anything, I'd expect IPv6 to mostly make things better, given that it removes the need for ugly STUN hackery and such...
Nope, sorry.
I guess that's a reasonable approach, although it probably doesn't help much if an attacker can determine the actual IP addresses of devices?
If there is an active attacker in wifi range, the network switching could happen in close succession.
That would probably help to some degree, although it would likely not be 100% solid due to the lack of an API that would ensure that no more packets (potentially containing secret tokens) can go out after a network switch.
Maybe? I don't think there's a nice solution that works without a bunch of ugly plumbing here. (Short of requiring HTTPS, but that'd be beyond the scope here.) |
Filed #30 for this |
Ok, so the initial concern around incorrect classification of IPv6 addresses should be fixed by #30. What remains is the ability for an attacker to force wifi switches, inject malicious content in the I think this would indeed be addressed by keying the private network request detection logic on some other piece of data than the address space alone - be it a network identifier, or maybe more simply a count of network changes since the browser last restarted. The latter solution in particular seems doable in Chrome, given that we already observe network changes. It might miss some events (IIRC proxy config changes, for example) but should be good enough to mitigate the scenario laid out here. All that said, I do not think that is as high priority as fixing the main issue: that any random public website can attempt to hack various internal network devices with 0 marginal effort per victim. What do you think? If you agree, I can rename this issue to focus on cross-network confusion attacks, the like of which you described. |
Yeah, I think renaming the issue is reasonable. |
Thanks! Done. |
The previous commit mistakenly included part of this commit in `index.html` without including the corresponding changes to `index.src.html`, which is unfortunate. This brings the repo back to a state where running `make clean && make` should only change the document revision hash in `index.html`. Issue: #28
cc @mikewest @letitz
I don't understand the IP address classification rules. Why are link-local addresses "local" while private IPv4 addresses are "private"? In a normal, dual-homed home network, you'd address devices on the network through
fe80::*
addresses for IPv6 (classified as "local") but through192.168.*.*
or whatever for IPv4 (classified as "private"). If semantically, "local" is supposed to mean "this machine" while "private" is supposed to mean "the local network", then the current classification of IPv6 addresses is broken.Also note that with IPv6, there are one (or potentially even more) global addresses using which devices on the local network are reachable at any given time. (Potentially multiple ones with the same prefix for privacy reasons, but I believe there can also be ones with different prefixes if the ISP recently delegated a new IPv6 prefix to the router, or if there are multiple routers with upstream connectivity.) And ISPs will sometimes delegate a
/64
, other times an entire/48
(from which the user can then carve multiple/64
networks for different private network segments). (And which IPv6 addresses belong to the local network can change dynamically if the user connects to a wifi or whatever.)And a completely different can of worms is that if the user e.g. configures their device such that it will connect both to some open wifi network and some corporate wifi network, a private IP address isn't even semantically same-origin with itself across time, because in one case it is some trusted corporate server while in the other case it's routed through an attacker-controlled network.)
With static network config
So here's a list of brainstormed things that I think might help make these rules vaguely solid under the assumption that we're not moving between networks:
fe80::/10
in a DNS response must always error out, as explained in RFC 4472, section 2.1:http://[fe80::1%eth0]:80/
(which are only valid on a single machine, because they incorporate information about the client's network interface names), classifyfe80::
as "private" such that "local" refers exclusively to services running on the local machine. This should fix the classification of "private" vs everything else.curl
seems to support it, though. It would be a useful feature if someone wants to have stable browser bookmarks referencing IPv6 devices on the local network./64
address prefixes. We could try to detect such situations by using an IPv4 traceroute to detect at which TTL the edge from the local network to the internet is, then hope that the route to the internet has the same length for IPv6?Time Exceeded
message from the same gateway as when trying to contact some IPv6 address that is known to be publicly routed.With network switching
If we are switching between networks (one of which is potentially malicious, especially if the client device is a laptop or smartphone that is configured to connect to open wifi networks), things around "private" addresses immediately get really ugly. Imagine an attacker who forces us to disconnect from the trusted company wifi, causing us to connect to the attacker's spoofed open wifi; then on the open wifi, the attacker navigates some iframe to
http://192.168.1.1/
, loads malicious script in the frame, then terminates the open wifi and lets us connect back to the trusted company wifi, on which attacker-controlled script now runs in the origin ofhttp://192.168.1.1/
.To handle this properly, it might be necessary to do something along the lines of:
public -> private
interactions apply.If this is considered out of scope, there should probably at least be a note somewhere that points out this scenario.
The text was updated successfully, but these errors were encountered: