Most active commenters

    ←back to thread

    I can see your local web servers

    (http.jameshfisher.com)
    652 points jamesfisher | 11 comments | | HN request time: 0.886s | source | bottom
    1. gnomewascool ◴[] No.20028516[source]
    If you use uMatrix, you can easily block the localhost and local network "sniffing" with the following rule[0]:

      * 127       * block    ### block access to IPv4 localhost 127.x.x.x
      * localhost * block
      * [::1]     * block    ### block access to IPv6 localhost
      * 192.168   * block    ### block access to LAN 192.168.x.x
    
    In principle, you can use this without any other blocking, i.e. with the rule:

      * * * allow
    
    and hence without disabling javascript on any sites.

    [0] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uM...

    Edit: as pointed out by DarkWiiPlayer below, if you want to be able to access the localhost websites from the same browser, you need:

      localhost localhost * allow
    
    and similarly for the LAN. In full:

      127       127       * allow
      localhost localhost * allow
      [::1]     [::1]     * allow
      192.168   192.168   * allow
    replies(7): >>20028541 #>>20028585 #>>20028627 #>>20028634 #>>20028673 #>>20030102 #>>20034486 #
    2. black_puppydog ◴[] No.20028541[source]
    that's awesome, using it!

    but to be fair, the point seemed to be more that if you run something that's "only" exposed locally... don't. securing each and every machine with uMatrix doesn't seem the answer to this.

    3. DarkWiiPlayer ◴[] No.20028585[source]
    you'd need at least

        localhost localhost * allow
    
    to be able to open sites on localhost directly.
    4. OJFord ◴[] No.20028627[source]
    Presumably also:

        * 10      * block    ### block access to LAN 10.x.x.x
    5. captn3m0 ◴[] No.20028634[source]
    uMatrix blocked all of it for me by default.
    replies(1): >>20028681 #
    6. spyder ◴[] No.20028673[source]
    Also, uBlock has an option in its settings to block the webrtc leak (but not enabled by default):

    "Prevent WebRTC from leaking local IP addresses"

    7. gnomewascool ◴[] No.20028681[source]
    Yes, but by default uMatrix might be overly strict for many people. For instance, by default it blocks all third-party javascript.
    8. bg0 ◴[] No.20030102[source]
    Anyone know if this can be done on a hosts level instead of a browser level?
    replies(1): >>20035357 #
    9. dredmorbius ◴[] No.20034486[source]
    Add all the RFC1918 unroutable private networks.

    https://en.wikipedia.org/wiki/Private_network

        10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
        172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
        192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
        127.0.0.0 - 127.255.255.255 (127.0.0.0/8)
    
    https://tools.ietf.org/html/rfc1918

    Possibly also 100.64.0.0/10 for carriers.

    https://tools.ietf.org/html/rfc6598#page-8

    replies(1): >>20046832 #
    10. comex ◴[] No.20035357[source]
    It can’t. At best you can try to modify the hosts file to point localhost to somewhere bogus, but aside from the potential breakage that could cause, it won’t help against any site that simply accesses http://127.0.0.1 instead of http://localhost. In general, the hosts file can be useful for quick-and-dirty blocking, but it’s not really capable of enforcing a security barrier.

    Edit: But there may be other ways to do it at an OS level, depending on your OS.

    11. johnp_ ◴[] No.20046832[source]
    Possibly also the IPv6 ULAs:

    https://en.wikipedia.org/wiki/Unique_local_address

    Not sure if those can be expressed in uMatrix as a prefix rule.