Ask HN: Why does the US Visa application website do a port-scan of my network?

537 points by mbix77 ↗ HN
I have recently installed this extension on FF: https://addons.mozilla.org/en-US/firefox/addon/port-authorit... and yesterday I visited this website: https://ceac.state.gov/genniv/ and I got a notification that the website tried to do a port-scan of my private network.

Is this a common thing? I have just recently installed the extension, so I am not sure if there are a lot of other websites who do it.

Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled.

37 comments

[ 2.9 ms ] story [ 86.4 ms ] thread
Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them

1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.

My biggest grief with that site is that it's like something from the 90s.
Looking like something from the 90s would be a feature, not a bug.

In the 90s and early 00s, we did tons of user-testing and feedback collection. We threw all that research away to create UX's that are minimal and "sleek". Tons of unnecessary whitespace and the concept of "Discovery" just thrown into the dumpster. Skeuomorphism was one of the greatest features of 90s-00s software, ironically thrown away as computers got faster and were able to handle the graphics better.

Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?
> Blocks malicious websites from port-scanning your computer/network

How does that work? A browser extension can't influence how your router and other machines in your network react to incoming requests.

Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name. So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels.
it's riddled with scams, and thinking any of this will detect any of the things you mention is very foolish, native and show a total lack of understanding of the scams. of you think using a proxy is essential for visa scam, i would even know where to begin to correct you.

it's one hundred per cent clueless privacy invasion. they are probably also opening ports via other means and using that for side channel ID like Facebook does.

just like any other documentation scam, the only weak point is on the "last mile" that's why you will always have a human interviewer.

the visa process is abusive and unpractical because people will work around any hurdle and their kpi will never be affected no matter how crappy they manage to make to whole process. or how many doge kids implement useless privacy invasion tech just because.

I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.

Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.

On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.

Capturing forensic artifacts of the local network allows a building a bridge strategy for identifying fraudulent networks without requiring knowledge of the path taken from destination to recipient. Other local devices do this and send the network map during a phone home, allowing comparison to a source of truth that is tied almost directly to the person, or group of people.

There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.

You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).

The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.

Be careful your security tool isn't producing false positives.

I remember years back when people would run these firewalls and we'd get complaints from home users about normal traffic.

Thinks like complaints our mail servers was scanning them on port 25 when they sent email.

Just a little side note - in this context, it makes sense if the website tries to connect to a local port because you might be running a card reader(ie. terminal). This is how it works with some(all?) EU countries that have a chip in their ID cards, or even vehicle registration cards, which you can use to access sensitive information or perform certain administrative tasks on government websites.

Although, from personal experience, it used to require java and it worked only on internet explorer and since it has been retired and replaced with chromium, i am not sure what is the way to make it work nowadays, as i have not been able to figure out to use it when i needed the last time.

I've had it before where it asked me to use an iPhone/Android app which can read the passport's NFC chip. I guess that's the modern replacement for IE/Java.
It requires installing a local service that bridges between the browser and the smartcard driver (what Java applets did in earlier years). The web app then communicates with the service via requests on localhost. The card-specific driver and bridge service are often bundled together for installation.
The "port scan" just seems to be a local connection to 127.0.0.1:8888. I don't know what purpose it serves on this page, but our government websites often use this technique to communicate with native software for digitally signing documents.

Are you seeing connection attempts to other IPs?

Very interesting. Having looked at NoScript it seems like you can disable LAN as a default value under the allow tab.
It's coming from a F5 script, which is a company that sells anti-bot protection amid other things. (It's coming from obfuscated script at /TSPD, which is a F5 thing.)

https://www.f5.com/

Isn't F5 the company that makes nginx?
I didn't know that! But apparently yes
That bought nginx, but yes!
[dead]
How and why do browsers allow this? Why wouldn't the browser ask for permission in the same way that it does for Microphone access?

It's insane to allow any random website to port scan my LAN. If this wasn't a "feature", I would have considered this a high severity vulnerability

"Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled."

Never knew that this existed. Thank you!

That extension has "Access your data for all websites" ... I really don't get how anyone can give that permission to anyone that isn't well known (a company with a lot on the line) or a person famous for their work (the uBO dev) who has stated he will never sell to anyone or do bad things.

"Hacks and Hops" doesn't even have a valid home page. The extension links to https://g666gle.me/ which does not exist. The domain name itself does not want to make me give access to all my data for all websites to them.

As nice as this extension seems, I would ever in a million years install it.

If would be interesting to see what happens on OpenBSD. With pledge(2) and unveil(2) in Firefox, I wonder what it would see. I expect it would see nothing.

I will give it a try and see what happens and if I see anything I will add it here.

Checking if you are sharing torrents, run a tor node, mine coins?
For another example, studentaid.gov doesn’t work in private browsing.
Most likely some "antivirus" bs. Probably harmless. Fun fact. Most browsers allow by default GET access to web resources on localhost and LAN. Been used for exploits since last century.
Have you double-checked whether the IP isn't shared among multiple website domains? That's quite a classic with IP based filtering with hosters like GCP...