W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Websockets and connections to private IPs and localhost

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 19 Mar 2015 01:46:22 -0700
Message-ID: <CAPfop_1jQL+xwA7VKyGdPJzbp+T-C9zRJt+-Qk3SLQP2vHmGng@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi

In https://code.google.com/p/chromium/issues/detail?id=378566, the
blink team is planning on blocking all connections to private networks
and localhost. This is unfortunate, because (as discussed in the bug)
this breaks a bunch of applications. I was wondering: instead of
cutting down all accesses outright, can we make a compromise in
allowing websockets to connect?

The websocket handshake is designed to not mistakenly allow access:
instead, there are specific steps the servers have to take to agree to
connect over websockets and so I don't see much security hardening
achieved by blocking websockets. What do others think? (I am not sure
this is even under the purview of w3c since I don't believe "block
private networks" is a standard).

Additionally, I think browsers should also allow websocket connections
to localhost in a secure context because the browser can ensure that
this never left the computer to get on the (untrusted) network. This
part 2 definitely seems like part of MIX.

cheers
Dev

full disclosure for those who didn't read the bug: Dropbox (my current
employer) is also affected by this issue. That said, these opinions
are mine and do not represent my employer's.
Received on Thursday, 19 March 2015 08:47:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC