There is literally a "network scan" section of the page that informs you it's scanning devices in your local network.
That's why you see webrtc requests to internal IP addresses. I do not see any requests to the router admin panel, and in fact it looks like the code specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)
I actually locked myself out except for console access, so some of this is from memory/Googling:
1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)
2. Change iptables default policy to DROP
3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio
4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)
5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)
6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'
7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host
I think a button would be more appropriate. Not everyone reads HN on a network they control and port scanning one's neighbors can lead to some unpleasant conversations.
Weirdly it's wrong for me, there's LAN IPs on the list that don't exist, and it's missing ones that do. Firefox on Ubuntu, with uBlock Origin, over WiFi.
You should also fix the copy. You have "To prevent your browser from accessing your Device Orientation use NoScript." appear twice, the second time under "Network Scan".
Yes, this will reveal sites that serve broken pages that require javascript to render usually static content (skipping progressive enhancement is lazy and unprofessional). Are those sites worth the expense of everyone learning more fingerprintable data about your and your browser?
The WebRTC scan that others are complaining about is another good reason to shut off javascript. Are other sites doing similar scans, perhaps in a less obvious way? It is insane that random pages even have that ability; it's a huge attack surface that is mostly unknown and unexplored.
> private mode
That's mostly about not leaving data trails on the local device (hence the "porn mode" nickname).
> (skipping progressive enhancement is lazy and unprofessional)
Single page apps are definitely in the "lazy" category. If you send a page without content, that page is broken. You should be prioritizing the safety of your readers.
If developing proper pages is difficult with your develop0ment tools or methods, then you should find a different method - ideally something that handles the progressive enhancement for you.
> Geo Coordinates: [lat,lng about 90 miles from the correct location]
I find that error hilarious, because I setup correct in-addr.arpa and ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.
I found it shockingly accurate -- it gave the address of a house I can see out my window. I'm on an entirely wired connection, so I know it's not doing it via any sort of wi-fi location, but perhaps my ISP lays out IPs very predictably or something.
While it hardly surprises any of HN audience, it's a GREAT showcase for a less technical audience.
I see that you removed automatic network scanning due to a comment here; but since it's an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.
Me too, my tower is in fact "laying" not standing,
on a table. Just as an aside, this declaration should read. Your Device is "probably", not propably.
Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.
My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.
I'd like to see a screenshot of a "worst case scenario".
This is a perfect example of what an attacker could do with your browser. If you can get a user's browser to run code, as this site demonstrates there is a lot of information you can find. And coupled with a Cross-Site Request Forgery, you could get access to a bunch of things. If your home router has a vulnerability that bypasses authentication and allows you to execute commands on the router or similar (which is not uncommon, home router security is awful), you could get a foothold into the network just by sending someone a email with links that they are likely to click on.
Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?
Edit: Oh, the getIP function just calls the callback on the first candidate it finds.
Between NoScript and Random Agent Spoofer, nothing is correct except my resolution and a couple of plug-ins (like Flash and VLC).
Shutting NoScript off doesn't make too much difference, and I don't think RAS does that much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).
For some reason, this worked really badly when I tried it. About the only things it figured out were that I run Linux on an x86_64 system and use Firefox. Well, it did get my ISP right, so that pretty much limits my location to a single country. Even my display resolution was not right. It did find quite a few devices on my network. All of them non-existent, though.
The social media thing is cool, I didn't know that trick of using the favicon.ico img under the login of a site to see if the image will load or not. That's pretty nifty
I found it interesting that it could read my battery level and discharging time. As for device orientation, I think I've seen that before but I had forgotten about it being possible.
I visited the page once on my Android using my HN app's built-in webkit browser, where it displayed some interesting stats like the location, the battery level, ISP, etc.
I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.
My takeaway from this is to NEVER use an app that uses Webkit.
I'm not sure if that was the intended purpose, but thanks for the eye-opener anyway!
My takeaway would've been; use some sort of protection, like NoScript, uBlock, etc. The choice of web-browser engine seems less important when you globally allow javascript or other similar capabilities.
This is true, but on Android this is not possible on Chrome or the default webkit browser, as Google doesn't allow extensions. So my point still stands.
> My takeaway from this is to NEVER use an app that uses Webkit
You're talking about WebKit on android, which was ported there by Google.
The original WebKit (as WebKit, not khtml) browser (Safari) doesn't leak all that information, so my take away would be not to trust a company obsessed with collecting private information and pushing all things into a browser, to have the best track record when it comes to protecting your privacy.
Thanks for the nice demonstration. Looks like the speed test is running of a very random source image that might not be yours. If it isn't, you might want to look at hosting your own image for it.
Not sure why battery is exposed; I guess that's the result of making browsers more like OSes.
The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.
1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.
Yeah, and that's also a great example of what should NOT be allowed without the user's EXPLICIT permission - simply visiting a link should not result in a torrent download!
No, it doesn't just use a different protocol. It ignores your network settings (proxy) and exposes your local network information.
I can understand not wanting to scare people with "Allow P2P Data Channel", but ignoring proxy settings and revealing all IPs is unacceptable. WebRTC folks toss off these concerns with "there's no way to prevent tracking so heh".
Visiting a link exposes also a lot on default. Browser, OS, Resolution. The major browsers are not build for this needs. Best experience first. BTW: There are extensions to block webrtc ip leak.
We should be reducing the amount of data exposed and fixing the mistakes of the past that allowed so much data to be easily exfiltrated.
> Best experience first.
"Best" is not a defined term. What software developers should (always) be providing is the safest method first. Fancy UI tricks are a far lower priority than safety. If there is any doubt, fail safely.
Anybody that isn't putting safety first is being incredibly irresponsible. Stop leaking data and design for safety and security first. Yes, this it will be harder to make a nice user experience. In time, this will improve, but in the meantime safety is not something that can simply be ignored.
> extensions
Safety is not an optional feature that only some people should have.
<video> tags are a more standardized part of the web. Although I should be able to disable auto-buffering as well as auto-play.
Ideally the user can control whether all types of content get loaded—images, CSS, JavaScript, web fonts—or even allow/deny individual domains or files, but so far browsers require an extension like uMatrix for that.
The fact that some browsers do allow you to control these things, even if you have to use an extension because they don't support it themselves, is crucially important and totally acceptable. AFAIK there is nothing equivalent to NoScript for IE, however, so that's just one of many reasons I don't use it.
I don't really mind the trend in browsers over the last several years to give explicit access to more OS resources, it frees us from both Flash and Java Applets, Adobe's PDF reader, and other crap. But I'm not sure the browser replacements, at least in the short term, will actually get the security models any better. Is there any reason to prefer all these new JS APIs over allowing a Java Applet, besides "Java Applets are insecure"? It's certainly not performance -- I know many people chuckle when someone demos the latest X in JS (with or without WebGL) where X was done better with less hardware years ago via an applet. Secure or not, it's incredibly difficult to actually run an applet these days, and it's a strange disconnect with how the browser is fine doing so much else without warning. Will we see a similar increase in difficulty for running JS that can be just as insecure?
I've been a NoScript and adblock advocate for many years, but the first is often met with alien stares and the second is only successful when I install it on their browser myself or when I'm recommending adblocking to either other technical people or people who really hate ads even on TV. There's a weird resistance some people have that can get brought up in both cases, though, and it's probably going to take more than a few big public fails due to malicious websites before people will stop bringing it up. The argument adblocking users have been making for ages: this is my computer, my browser, and neither is under any obligation to act in a particular way based on the contents of what your server sends me. I don't like your ads? I can choose not to see them. I don't trust your JS? I can choose not to execute it. I don't like your theme? I can load my own. It's very weird to me that people oppose this view.
Do you use NoScript in everyday? I think while it would make those annoying APIs go away, the web site experience would became a bit poor and even not work properly.
I am not sure if this battery is not just FUD and some other sections as well. Because I currently have no battery in my laptop (no battery detected) and site is saying "Charging: charging", "Battery level: 100%", "Charging time: 0h"
Battery levels are exposed in the Battery Status API [1] which is currently implemented on Firefox and Chrome, both desktop and Android editions [2] but not on iOS.
Just like with mobile apps, battery info can help websites decide whether they should run a complex operation now. It also helps detect regressions if a commit happens to suck power faster. Unfortunately, it's more bits available to deanonymize users across websites.
Data channels are useful for synchronizing your phone and your laptop. All native platforms support this. Most websites do it with a roundtrip to the server. So it would be mysterious to the user why a permission is prompted for something that should just work. Obviously it's bad for privacy though.
So painting it as having no legitimate uses is a bit one-sided. There is no easy fix.
What websites do CPU-intensive work that can be delayed for hours?
In general I want a website to suck as much power as possible so it can be done sucking power as soon as possible, whether I'm on battery or not. If you want to find waste, track execution time and bandwidth use.
I'm not sure I understand your point. Many apps (would) benefit from delaying some tasks and waiting to be on charge and a wifi connection. Typically, synchronization for example requires the device to be awake for a long period because of network roundtrips, transfers, disk seeks and CPU work. Software updates are similarly impactful on the battery.
At least, it makes sense to measure battery usage to optimize your code. And in my opinion, it's also beneficial to react to battery events (delay when on low battery, process when on a wall socket) and network events (bad coverage vs. strong wifi).
I'ts funny with WebRTC, because I rememeber when the same could be accomplish with Java applets (Java ignored any proxy settings, which allowed to deanonynimize people on the internet, e.g. it no longer mattered if you were behind TOR if you had Java enabled). I think it was considered security bug and was patched later. Seems that WebRTC people are not so security-wise I suppose...
208 comments
[ 2.8 ms ] story [ 248 ms ] threadGPU: Vendor: Mozilla
That's why you see webrtc requests to internal IP addresses. I do not see any requests to the router admin panel, and in fact it looks like the code specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)
1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)
2. Change iptables default policy to DROP
3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio
4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)
5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)
6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'
7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host
Hate it when that happens to me...every week.
Just my 2 cents, but I feel like there might be some commercial demand for something like this if you'd ever consider packaging it.
But yeah, I echo the other commenter wanting to know more about how you set that up.
It's incredible that a webpage can do that.
How so? Any site you navigate to knows your IP, and can take action based on that.
Congrats on the page!
Yes, this will reveal sites that serve broken pages that require javascript to render usually static content (skipping progressive enhancement is lazy and unprofessional). Are those sites worth the expense of everyone learning more fingerprintable data about your and your browser?
The WebRTC scan that others are complaining about is another good reason to shut off javascript. Are other sites doing similar scans, perhaps in a less obvious way? It is insane that random pages even have that ability; it's a huge attack surface that is mostly unknown and unexplored.
> private mode
That's mostly about not leaving data trails on the local device (hence the "porn mode" nickname).
Single page apps are definitely in the "lazy" category. If you send a page without content, that page is broken. You should be prioritizing the safety of your readers.
If developing proper pages is difficult with your develop0ment tools or methods, then you should find a different method - ideally something that handles the progressive enhancement for you.
It would be great to hear your suggestions on how to improve both the advices!
I find that error hilarious, because I setup correct in-addr.arpa and ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.
I see that you removed automatic network scanning due to a comment here; but since it's an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.
I'm one of those heathens that actually puts the desktop tower on top of the desk. Got me.
My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.
I'd like to see a screenshot of a "worst case scenario".
Are you saying it showed your geo location without having prompted for it, and that you're OK with that?
They aren't using GeoIP lookups. Google runs a service that uses Javascript to try to provide a more accurate position than GeoIP can.
Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?
Edit: Oh, the getIP function just calls the callback on the first candidate it finds.
It knows too much
Reading keystrokes from a nearby keyboard using the gyroscope http://www.cc.gatech.edu/fac/traynor/papers/traynor-ccs11.pd...
Speech Recognition using the gyroscope http://www.wired.co.uk/news/archive/2014-08/15/gyroscope-lis...
Not just a problem with webpages, apps that don't have access to your mic do have access to your gyroscope
One possible solution is to not allow gyroscope reading above say 20hz without user permission (for both apps and webpages)
Shutting NoScript off doesn't make too much difference, and I don't think RAS does that much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).
Chromium 49. The only place I am logged into is Reddit
> Twitter: logged in > Facebook: logged in > Google Plus: logged in > Reddit: logged in > Flickr: logged in
I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.
My takeaway from this is to NEVER use an app that uses Webkit.
I'm not sure if that was the intended purpose, but thanks for the eye-opener anyway!
You're talking about WebKit on android, which was ported there by Google.
The original WebKit (as WebKit, not khtml) browser (Safari) doesn't leak all that information, so my take away would be not to trust a company obsessed with collecting private information and pushing all things into a browser, to have the best track record when it comes to protecting your privacy.
Safari 9.1 : Minimal HW/SW detection, No social media leak, No network scan (after click)
Safari 9.1.1 (Tech Preview) : Minimal HW/SW detection, No social media leak, No network scan (after click)
Chrome 49.0.2623.110 : Full HW/SW detection, Social media login detected, Network scanning (after click)
Firefox 45.0.1 : Full HW/SW detection, Social media login detected, Network scanning (after click)
On Safari 9.1.1 TP : no addons
On Safari 9.1 : AB (getadblock.com)
On Firefox : uBO / No "NoScript" (for testing)
On Chrome : uBO
Also, my machine only has two physical cores, so 9.1.1 leaked physical + virtual
The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.
1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.
I can understand not wanting to scare people with "Allow P2P Data Channel", but ignoring proxy settings and revealing all IPs is unacceptable. WebRTC folks toss off these concerns with "there's no way to prevent tracking so heh".
We should be reducing the amount of data exposed and fixing the mistakes of the past that allowed so much data to be easily exfiltrated.
> Best experience first.
"Best" is not a defined term. What software developers should (always) be providing is the safest method first. Fancy UI tricks are a far lower priority than safety. If there is any doubt, fail safely.
Anybody that isn't putting safety first is being incredibly irresponsible. Stop leaking data and design for safety and security first. Yes, this it will be harder to make a nice user experience. In time, this will improve, but in the meantime safety is not something that can simply be ignored.
> extensions
Safety is not an optional feature that only some people should have.
But that's orthogonal to whether it's torrenting. You can torrent while respecting network settings, and without exposing local IPs.
How will you know that a download is desired or not?
Ideally the user can control whether all types of content get loaded—images, CSS, JavaScript, web fonts—or even allow/deny individual domains or files, but so far browsers require an extension like uMatrix for that.
I don't really mind the trend in browsers over the last several years to give explicit access to more OS resources, it frees us from both Flash and Java Applets, Adobe's PDF reader, and other crap. But I'm not sure the browser replacements, at least in the short term, will actually get the security models any better. Is there any reason to prefer all these new JS APIs over allowing a Java Applet, besides "Java Applets are insecure"? It's certainly not performance -- I know many people chuckle when someone demos the latest X in JS (with or without WebGL) where X was done better with less hardware years ago via an applet. Secure or not, it's incredibly difficult to actually run an applet these days, and it's a strange disconnect with how the browser is fine doing so much else without warning. Will we see a similar increase in difficulty for running JS that can be just as insecure?
I've been a NoScript and adblock advocate for many years, but the first is often met with alien stares and the second is only successful when I install it on their browser myself or when I'm recommending adblocking to either other technical people or people who really hate ads even on TV. There's a weird resistance some people have that can get brought up in both cases, though, and it's probably going to take more than a few big public fails due to malicious websites before people will stop bringing it up. The argument adblocking users have been making for ages: this is my computer, my browser, and neither is under any obligation to act in a particular way based on the contents of what your server sends me. I don't like your ads? I can choose not to see them. I don't trust your JS? I can choose not to execute it. I don't like your theme? I can load my own. It's very weird to me that people oppose this view.
I hate that. Is there a reliable way to turn that behavior off?
The page also thinks my system is flat on a table. Close; the screens are, while the tower's on the floor :P
1. https://developer.mozilla.org/en/docs/Web/API/Battery_Status...
2. http://caniuse.com/#search=battery
Data channels are useful for synchronizing your phone and your laptop. All native platforms support this. Most websites do it with a roundtrip to the server. So it would be mysterious to the user why a permission is prompted for something that should just work. Obviously it's bad for privacy though.
So painting it as having no legitimate uses is a bit one-sided. There is no easy fix.
In general I want a website to suck as much power as possible so it can be done sucking power as soon as possible, whether I'm on battery or not. If you want to find waste, track execution time and bandwidth use.
At least, it makes sense to measure battery usage to optimize your code. And in my opinion, it's also beneficial to react to battery events (delay when on low battery, process when on a wall socket) and network events (bad coverage vs. strong wifi).