Google says that its Chrome browser will soon block internet websites from querying and interacting with devices and servers located inside local private networks, citing security reasons and past abuse from malware operations.
The change will take place through the implementation of a new W3C specification called Private Network Access (PNA) that will be rolled out in the first half of the year.
The new PNA specification adds a mechanism inside the Chrome browser through which internet sites can ask systems inside local networks for permission before establishing a connection.
Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.Eiji Kitamura and Titouan Rigoudy, Google
If local devices, such as servers or routers fail to respond, internet websites will be blocked from connecting.
The new PNA specification is one of the most important security features that will be added to Chrome in recent years.
Since the early 2010s, cybercrime groups have realized that they could use browsers as a “proxy” that relays connections to a company’s internal network.
For example, a malicious website could contain code that tries to access an IP address like 192.168.0.1, which is the typical address for most router administration panels, and accessible only from a local network.
When users access this kind of malicious site, their browser can make an automated request to their router without the user’s knowledge, sending malicious code that can bypass the router’s authentication and modify router settings.
Variation of this internet-to-local network attacks could also target other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted applications (via the http://localhost domain or other locally-defined domains).
By introducing the PNA specification inside Chrome and its permission negotiation system, Google wants to prevent such automated attacks from being possible.
According to Google, a version of PNA has already been shipped with Chrome 96, released in November 2021, but full support will be rolled out in two phases this year, with the Chrome 98 (early March) and Chrome 101 (late May) releases, as detailed below:
The United Kingdom’s National Health Service said it is working with the country’s National Cyber…
Concern around Log4j is far from over, according to the chairs of the Cyber Safety…
Hackers and cryptocurrency thieves are turning to so-called cross-chain platforms to launder money and avoid…
Long the de facto privacy watchdog, the agency is exploring creating rules for its role.
Cisco on Thursday released three advisories for vulnerabilities discovered by cybersecurity firm Rapid7 in its…
The pro-Russian hacker gang known as Killnet took down the website of Latvia’s parliament on…