Chrome's new security measures aim to limit an entire class of web attacks
Browsers have long been used by hackers as a coastal resource. Google's goal is to change the PNA

was subject to use. Now, Google is finally doing something about it.

From Chrome 98, the browser sends requests when public websites want to access endpoints within the private network of the person visiting the site. Currently, failed requests do not block connections. Instead, they will only be registered. About Chrome 101 - Assuming that the results of this test run do not indicate major parts of the Internet are down - it is necessary for public sites to obtain explicit permission before accessing endpoints behind the browser.

This was not planned. This access occurs when Google enables a new feature called Private Network Access, which allows public websites to access internal network resources only after sites explicitly request them and the browser requests them. PNA communications are transmitted using the CORS protocol, or cross-origin resource sharing. Under this plan, the public site presents a pre-flight request in the form of a new tab, Access-Control-Request-Private-Network: true. To grant a request, the browser must respond with the appropriate address. Access-Control-Allow-Private-Network: true. They have the ability to use Chrome and other browsers as a proxy to access resources within the local network of the person visiting the site. While routers, printers, or other network assets are often secured, browsers - due to the need to interact with many services - are allowed to connect to almost any source within the local network environment by default. This led to the creation of a class of attacks called CSRF, which stands for Script Reciprocal Request.

ReadingHackers continues to hijack over 300,000 wireless routers and make malicious changes. It has been done in nature for more than a decade, often with disastrous consequences. In one 2014 incident, hackers used CSRF to change the DNS server settings of more than 300,000 wireless routers. The change prompted high-risk routers to use malicious DNS servers to resolve IP addresses that users were trying to access. For example, instead of visiting a reputable site, a malicious server might return the IP address of a fraudulent site that the end user has no reason to believe is malicious. The following image, from Cymru researchers, shows three steps involved in these attacks. web device. src="" alt=" new Chrome security measures aim to limit the full range of web attacks" srcset=" -content / uploads / 2014/03 / csrf-router-attack-1280x821.jpg 2x "> Zoom / Three-step attack that changes the router's DNS settings by exploiting a cross-site request vulnerability in the Give. Cymru

Home routers most under attack for Blitz Malware In 2016, the people behind the same attack came back to eliminate malware known as DNSChanger. As I explained at the time, the campaign against home and office routers built by Netgear, DLink, Comtrend, and Pirelli was as follows:

DNSChanger uses a set of real-time communication protocols known as webRTC to send so-called STUN uses. Server requests used in VoIP connections. This exploit finally managed to pass the code through the Chrome browser for Windows and Android to access the network router. The attack then compares the accessible router to 166 fingerprints of images of the compromised routers. Here are two graphs showing how it works. <b>new</b> Chrome <b>security</b> <b>measures</b> restrict a whole <b>class</b> of <b>attacks</b> on the <b>web</b> Zoom Google Procedures <b>Chrome's</b> <b>new</b> <b>security</b> aims to restrict the <b>entire</b> <b>class</b> of <b>web</b> <b>attacks</b>

The Way Forward

Starting from version 98, if Chrome detects a network request, a "pre-flight request" will be sent ahead of time. If the pre-flight request fails, the final request will still be sent, but a warning will appear in the DevTools Troubleshooting panel.

“Any failed request before the flight will cause the fetch to fail,” Google developer Tetuan Rigodi and Eiji Kitamura wrote in a recent blog post. "This allows you to check if your website is running after the second phase of our launch plan. Bugs can be detected in the same way as using the DevTools panels listed above."

If and when Google is confident that there will be no major disruptions, it should approve pre-flight requests. Your iPhone may soon show ads

Your iPhone may soon show ads

Apparently, it seems that Apple wants to resort to ways (advertising) to generate income through iPhone phones in the near future, which may be very a... The 48 megapixel camera of the iPhone 14 Pro does not perform well in low light

The 48 megapixel camera of the iPhone 14 Pro does not perform well in low light

As it seems, one of the whistleblowers has spent a lot of time with Apple's iPhone 14 Pro and iPhone 14 Pro Max. Early reviews show that the iPhone 14... Rum prices will decrease in Q3 2022 despite strong inflation

Rum prices will decrease in Q3 2022 despite strong inflation

Based on forecasts for the third quarter of 2022, consumer prices for widely used DDR3 and DDR4 RAMs may reach 18 percent, while the price of newer DD... A new update to the Fitbit app reveals the Pixel Watch's disappointing battery life

A new update to the Fitbit app reveals the Pixel Watch's disappointing battery life

Google unveiled its new products at its annual developer conference held in May this year, and the Pixel Watch was one of them. In this conference, th...