this post was submitted on 18 Jul 2024
42 points (97.7% liked)

Privacy

31931 readers
733 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Basically title. Recently I saw a new option in Chromium website permission settings called "allow access to local network" or something like that and I know some antiviruses on Windows that can list all devices connected to the same WiFi network. I'm usually using Firefox based browsers that obviously don't have the option to disable or enable that access. So can some really invasive websites mine data about my local network, connected devices etc? And if so, what can I do to prevent it except for just disconnecting everything else when visiting such websites?

top 30 comments
sorted by: hot top controversial new old
[–] [email protected] 32 points 3 months ago* (last edited 3 months ago) (3 children)

There is a Firefox extension that blocks port scanning from websites, and the prime example is eBay. If you block eBay with this extension, you cannot log in. eBay specifically requires a port scan of your machine or it won't let you log in. So based on just that alone, I would say that yes, there is a risk.

[–] [email protected] 24 points 3 months ago (1 children)

What in the world are they digging for?

[–] [email protected] 16 points 3 months ago

Anything that can help advertisers. In this case they can get data about your wealth and also assume that the nearby devices belong to the same person or family. That's some very useful data for unethical advertisers.

[–] [email protected] 10 points 3 months ago (1 children)

Interesting, I didn't know about that. Bleeping computer has a good write up on it (I'm assuming they broke the story) https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

[–] [email protected] 9 points 3 months ago (1 children)

According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.

HA!

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

Is this related to how Linux does permissions?

[–] [email protected] 4 points 3 months ago

Probably useragent check. They likely suspected that they'd get caught quicker if they scanned Linux users.

[–] [email protected] 1 points 3 months ago

Hmm ok thanks for the information. I'll look into that.

[–] [email protected] 7 points 3 months ago (2 children)

You can stop that (and many other things) with jshelter.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (2 children)

Any extensions or mitigations you use can be detected and used to increase the fingerprint of your browser/device even more.

https://abrahamjuliot.github.io/creepjs/

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

If I visit that page I get a "fingerprinting activity detected" warning from JShelter and then a mostly blank page with "FP ID: Computing..." at the top, and a bunch of javascript errors in the console.

Most sites are fine with the settings where I normally leave them, but it's not much of a surprise for one that's devoted entirely to browser fingerprinting to be broken by JShelter. Stopping or at least making more difficult most fingerprinting attempts is among the things it does. It can't stop all of them of course, but it's one component that helps to work against them.

[–] [email protected] 3 points 3 months ago (1 children)

WebWorker is disabled by default in JShelter which is required for creepjs to work. If you set just that function to Strict instead of just the default Remove, then creepjs still works fine.

But creepjs could be modified to work without webworker if you were thinking JShelter really does something useful to hide your fingerprint from someone who wants it bad enough. And you can still be fingerprinted many other ways even without JavaScript at all.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

Yeah my main browser is easily fingerprinted due to the many ways it is non-standard. I'll use torbrowser or something if it actually matters. But JShelter does not really make that problem worse for most people, and it probably frustrates some fraction of attempts — including those that rely on web workers apparently.

The page load time of creepjs would not be acceptable for use in real life. Anything with that much creepy js is going to get itself blocked by other means.

[–] [email protected] 3 points 3 months ago (1 children)

The page load time of creepjs would not be acceptable for use in real life

Well any site that uses fingerprinting tech, regardless of what it is, is just going to have it load silently in the background so I don't think it would be noticeable anyways.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

That depends on what's making it take so long, among other things. But with sufficient effort I suppose the more sneaky fingerprinters (those which aren't aren't already blocked by other extensions) could probably be made difficult to notice for unprepared users. JShelter popping up a big warning about a "very high" level of fingerprinting activity is a pretty good hint though, and I take it as a suggestion to add some rules for ublock if I expect to visit that site again.

As it continues to get more common, maybe it's time to go back to using noscript as well.

[–] [email protected] -1 points 3 months ago

Mullvad browser uBlock jshelter privacybadger NoScript

[–] Blxter 2 points 3 months ago

Whelp adding this to my extension list. There is no webpage I visit that should need this info ... I think thanks for link

[–] [email protected] 7 points 3 months ago

This is something new. Thanks for the info. Man we are not safe.

[–] possiblylinux127 5 points 3 months ago (1 children)
[–] [email protected] 0 points 3 months ago (1 children)

WebRTC has a separate toggle.

[–] possiblylinux127 1 points 3 months ago (2 children)

Not in Firefox based browsers. Also that's the tech they use for scanning

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

media.peerconnection.enabled = false

[–] [email protected] 0 points 3 months ago

It has a separate toggle in Chromium so I think these are 2 separate things.

[–] [email protected] 2 points 3 months ago

Wasn't it Google drive, that once you install it onto a device on a network, that it would scan your entire network for other devices? I tried Googling for it but then laughed realizing Google wouldn't let that information continue to linger. Or I could just be wrong.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago)

Is it maybe the case that the setting is for allowing/disallowing you to go to sites on your local network?

For example your router controls at "192.168.1.1" (example address) or a raspberry pi with a selfhosted service like nextcloud etc.

You can probably test whether my claim is true by trying to visit your routers page with the setting enabled vs. disabled. (I am not using Chrome)

I don't think websites have access to your local network through the browsers javascript engine, but I may be wrong.

[–] [email protected] 2 points 3 months ago (1 children)

It is possible, yes. Here's a proof of concept implementation and there are undoubtedly others out there.

[–] [email protected] 0 points 3 months ago (2 children)

I guess I'll switch to Chromium then

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (1 children)

Except that chromium and everything based on it is Sending information about your pcs Ressource usage on Google sites, as far as I have heard

[–] [email protected] 0 points 3 months ago

I don't use that sites on the devices with the highest threat model so it should be fine. Hopefully.

[–] [email protected] 2 points 3 months ago

I don't know if it'll work on Chromium or not. It's worth a try.