
In protest of the web{*} bulldozer, a response to websocket port scanning - bjt2n3904
https://medium.com/@bjt2n3904/in-protest-of-the-web-bulldozer-e0fce4567d26
======
_bxg1
The web already has a user-facing permissions system; it wouldn't be hard to
add many of these under that umbrella (USB, Bluetooth, and Sensors stand out
as obvious candidates that should've been behind that barrier from the
beginning). Battery Status definitely seems pointless overall.

But I don't agree with the overall thesis, that the web fundamentally should
not get features like these. Though, obviously, some of these "standards" have
been rushed through and poorly executed.

I think for this we can blame Chromium's dominance. As the author said, many
of these features were probably motivated by Chrome OS. And the devil's
bargain of letting Chromium take such complete control over the web is that
Google can strongarm whichever new "standards" they like into the Web.

The standards committee doesn't want WebBatteryStatus? Fine, we'll implement
it anyway and now Chrome desktop/mobile, Chromebooks, and Edge will all have
it. Sites that want to use it will probably just use it and throw up a "Use
Chrome" notification for Firefox and Safari.

~~~
alerighi
I don't think these features are bad, they are useful in some ways. Why we
need USB on the browser? Think about updating the firmware of a device, you
just go to the webpage, connect the device to the USB and update it, without
having to download and install a tool to flash it, for an operation that you
need to do just one time. This is only one example of many that we can make,
another could be IDEs in the browser to program boards like Arduino, without
installing software on the PC.

Battery status? It could be useful to know if the PC is connected to a power
source and the level of the battery, even for a stupid scenario like watching
a video, when I'm low on battery I usually reduce the resolution of a YouTube
video because reproducing a 4k60p video uses a lot of resources, and drains
the battery quickly. It would be useful if the webapp could just do that
automatically, maybe on YouTube an option like reduce resolution when low on
battery. Or for games, or whatever uses a lot of resources.

Think about it: the only reason because Electron apps exist (and we waste
200Mb of disk for each one of them) is only because browsers don't have APIs
to access the filesystem! To me is a waste, the browser should give each
application (let's stop calling them sites, they are no longer that) the APIs
and permissions to access hardware, just like on mobile devices you have a
dialog that says "this app would like to access the internal storage, consent
or deny?".

Where is the problem? The user should give the privilege (only one time) and
you finally can do basically 99% of work in the browser (and maybe the browser
introduces also API to run the application in a window), you no longer need
Electron just to do these kind of things, is still more secure than Electron
because the code is sandboxed by the browser, and you don't have to worry
about packaging your software for different operating systems.

~~~
saagarjha
> I don't think these features are bad, they are useful in some ways.

That’s the whole point: they look like APIs that might be useful for something
but then they invariably become used for fingerprinting or an attack surface
and we find out that nobody was actually using it at all, even though we came
up with a couple of legitimate-sounding use cases for it.

> the code is sandboxed by the browser

What’s the point of a sandbox if you keep poking holes in it by adding new
APIs?

~~~
dmix
aka the road to hell is paved with good intentions

------
bijection
> Unlike the rest of the technologies, [Websockets] seems to have somewhat of
> a purpose — even if it’s been made redundant by things like HTTP/2 streams.
> ... Give it a few months, and there will be some NodeJS fad where everyone
> wants to re-implement HTTP with WebSockets, and load every asset for their
> website through JavaScript to save a tenth of a microsecond in some edge
> case involving tech buzzword bingo. ... Once this happens, disabling
> WebSockets breaks the internet.

To be fair to Websockets, they've been around for almost a decade, pre-dating
http/2 by a few years, and the duplex communication they offer is a
fundamental building block for all kinds of stuff, from games to trading
websites to chat systems.

Although the Battery API is a different story, the author's point about
Websockets seems to be based on somehow having overlooked them for quite a
while.

~~~
TazeTSchnitzel
Yes, and WebSockets are a clean and fast replacement for horrible hacks that
preceded them. Nobody liked having to constantly poll the server one way or
another, or god forbid, use Flash.

~~~
Thorrez
One alternative to repeated polling or Flash is hanging GETs. But yes, that's
a pretty weird hack.

~~~
arantius
That's unidirectional. Websockets allow fully stateful bidirectional data
transfer (just like a regular socket). They're wonderful when that's what you
need.

~~~
Thorrez
Yeah, you pair hanging GETs with XHR to get bidirectional transfer. Yeah I
agree websockets are a lot easier than the hacky hanging GETs + XHR setup.

------
vbezhenar
One website can use resources from other website using img, script, link tags.
That was since WWW invented. User agent will retrieve related resources from
other websites.

Those port scanners abuse that feature. <img href="[https://website-resolving-
to-127-0-0-1.com:1234">](https://website-resolving-to-127-0-0-1.com:1234">) is
a legitimate code and browser is expect to establish TLS connection to
127.0.0.1:1234.

Trying to patch that fundamental behaviour is hard.

Websockets are not enemy here. They are just convenient tool. It could be
implemented without websockets.

Imagine that google.com added <img src=yourpoorwebsite.com> into their main
page. Now you've got billions of requests and your website is DDoSed. Who's
bad here? Browser which allows requests from google.com to
yourpoorwebsite.com? Or Google who decided to kill your website?

~~~
EE84M3i
"One website can use resources from other website using img, script, link
tags."

Interestingly, you can't do this for web fonts, because they require CORS,
which was only added to make type foundries happier by making hotlinking fonts
not possible.

------
saagarjha
All the new web standards are a bit tiresome, to be honest, and some of them
have the flimsiest justification. I remember someone pushing the Ambient Light
Sensor API on Twitter at some point and the example they gave was "you can
offer dark mode to your users if the brightness you detect is low". Like,
really? There are actual browser APIs for this, and they offer a better signal
of user intent than brightness levels could ever do. Can you please just think
these through?

~~~
hoten
Extrapolating the reasons behind a particular standard being created from a
random Tweet is a bit disingenuous. Here are the examples that the standard
proposal cites:

[https://w3c.github.io/ambient-light/#usecases-
requirements](https://w3c.github.io/ambient-light/#usecases-requirements)

The camera one especially seems convincing to me.

~~~
gruez
None of the examples they've listed sound convincing.

>A Web application provides input for a smart home system to control lighting.

Why would you need ambient light level to control lighting? Do you need a
phone to calibrate the room's brightness or something?

>A Web aplication checks whether light level at work space is sufficient.

Can't think of a reason why an app would need to do this

>A Web application calculates settings for a camera with manual controls
(apperture, shutter speed, ISO).

Seems contrived to me. It might make sense for an analog camera, but every
digital camera has a lightmeter, which is what you'd want anyways rather than
the light sensor on your phone with unknown accuracy and viewing angle.

>A Web application monitors light level changes produced by hovering hand user
gesture and interprets them to control a game character.

Wouldn't that be better served by using the front facing camera? You can even
implement different hand gestures that way.

------
ximm
I am starting to wonder whether we should split the web into "document mode"
with only small subset of javascript APIs and "application mode". This could
actually spark some innovation because the threshold to build a document-web-
browser from scratch would be so much lower and it could have much better
security.

~~~
lecarore
I browse the web with js off by default, and turn it on per domain in 2
clicks. That's basically what you are proposing accessible today, with
Firefox, on desktop and on Android

~~~
throwaway_pdp09
Aside: I turn off JS and never allow it on outside a VM (which gets wiped back
to a clean state on shutdown).

It's definitely not the same thing because a lot of documents simply do not
render (here's one I was looking at not 2 minutes ago, at least it has text,
but no pics [https://vanschneider.com/the-kawaiization-of-product-
design](https://vanschneider.com/the-kawaiization-of-product-design) A Number
of sites will render absolutely nothing at all, text or otherwise eg
[https://www.washingtonpost.com](https://www.washingtonpost.com)).

Nope, he's got a good suggestion IMO.

------
banachtarski
So much misinformation and FUD in this article. It's immediately suspect that
the author had to lookup what websockets even WERE. No mention of the
permissions system? This is a super low-quality article to make it to the
front page.

~~~
usr1106
Right, and he didn't try out all sockets to find out what is the blacklist.
Did he notice that Firefox is open source and reading the source might give
good hints? (On my phone now and not starting to do it myself. But I have run
Firefox under gdb before to check how Google Streetview uses WebGL. It's not
difficult under Linux at least, even if you like myself know absolutely
nothing about the somewhat intimidating code base of Firefox.)

------
TazeTSchnitzel
> Web{Assembly}: Enables binary executables to run in your browser

“Binary executables” makes it sound like it's machine code, but WebAssembly is
more like a bytecode for JavaScript.

~~~
TeMPOraL
I'm of two minds about it. On the one hand, JS should've been compiled in the
first place; that we spent some two decades making computers parse
increasingly complex scripts repeatedly is a sad waste, and it spawned what's
probably the biggest hack ever to become a standard practice: minifying code.
On the other hand, WebASM webapps will be an order of magnitude less
inspectable.

~~~
qeternity
On the other hand, V8 is the most widely run, heavily invested and thus
optimized JIT compiler in history. So I think most of the interpreted vs
compiled mistakes have been Google’d out at this point.

~~~
default-kramer
In my opinion, the "sad waste" has nothing to do with CPU clock cycles and
everything to do with the uncountable hours humans have spent trying to make
javascript tolerable. If we had bytecode from the start, it would have enabled
a huge reduction in human labor.

~~~
drran
Flash implemented using bytecode.

------
kbenson
> Firstly, WebSockets seem to be prohibited from accessing 192.168.0.0/16 and
> 10.0.0.0/8\. In Firefox, it raises SecurityError.

And 172.16.0.0/12 I hope. I did a little Googling and didn't quickly find a
list of sources they are blocking in Firefox (or is it part of the standard?),
but I hope that one is included. It's not as common, but it's still a private
network and used sometimes.

~~~
moonbug
Gee, good job no one uses IPv6.

~~~
icedchai
Consider a /64 subnet will take a while, if not forever, to scan.

~~~
Dylan16807
Unless you know part of the mac address. Or it's bound to :0:0:0:1. And maybe
you already know the IP and the firewall is blocking connections from outside
the building.

------
swiley
I remember being a little surprised websockets could violate the same origin
policy. It was only a matter of time before that was going to be abused.

It’s a shame because it meant you could run your own server for eg js/html
games.

~~~
TazeTSchnitzel
> I remember being a little surprised websockets could violate the same origin
> policy. It was only a matter of time before that was going to be abused.

WebSockets don't have the Same Origin Policy like XMLHttpRequest does, yes,
but they are required to tell the server they connect to what origin they came
from, so the server can enforce whatever restrictions it likes.

WebSockets were also designed with preventing abuse in mind: note the protocol
obfuscation and weird headers, which I think are there so you can't confuse
non-WebSocket-aware servers and non-HTTP protocols.

However, as with XMLHttpRequest and other ways to do an HTTP request, it's not
possible for the browser to know if a destination server speaks HTTP without
trying to connect to it, and I guess that's why port scanning is possible.

------
qeternity
I’m a bit surprised that anyone with a remotely techie background has been
unaware of websockets until now.

~~~
bjt2n3904
I generally do embedded and radio things. :) I'm not gonna lie, I can't follow
web stuff with the speed at which it changes.

------
IshKebab
Good list of Web* technologies but he is wrong about them being all on-by-
default security risks and wrong about them being useless gimmicks:

* WebSockets: On by default but obviously useful and not that different to normal HTTP requests. Can you port scan with XMLHttpRequest? I wouldn't be surprised.

* WebBluetooth: Has a permission dialog. This is actually really useful for things like the physical web - you can control nearby one-off devices without needing to install an app or for either device to have internet access. Great for interactive art installations for example.

* WebRTC: Enabled by default but very useful for web based games because it allows UDP-like communication. Also obviously useful for video conferencing.

* WebAssembly: This doesn't let you do anything that Javascript didn't so he's just being paranoid that it "enables binary executables to run in your browser".

* WebGL: This one he has a point on - GPU drivers are _full_ of bugs and weren't designed to run untrusted software. I'm surprised there aren't more exploits of this.

* WebUSB: Again, useful for using USB devices without having to install an app. This also has a permission dialog.

Most of these are because the web is now an app platform, not just a document
store.

------
fxtentacle
I fully agree.

When I open a newspaper website, I want to receive a tiny bit of HTML and CSS
and maybe references to some images. Like 50KB+images.

Instead, I am bombarded with megabytes of JavaScript and these new APIs so
that advertisers can better spy on me. All of that comes at the expense of my
bandwidth, my CPU usage and battery power, and my privacy.

Soon, we'll need a service that remotely opens those websites for you, then
dumps the DOM and only forwards that to you. So basically server-side
rendering for other people's delinquent websites.

------
nana-
Actually Microsofts work on [https://docs.microsoft.com/en-
us/openspecs/windows_protocols...](https://docs.microsoft.com/en-
us/openspecs/windows_protocols/ms-rdperp/ead02bce-64ef-41d6-aa06-8565956b9fe7)

------
mindslight
The problem is that these APIs have been developed with little concern paid to
security. Compounding this, Mozilla hasn't even tweaked the implementation
details to retain what security they could. This is seemingly due to a
mistaken idea that sandbox escape is the only security property that matters,
allowing these APIs to leak identifying information like sieves.

For example, AFAICT the common wisdom for mitigating Location with user.js is
to set it to Ask for every site instead of a blanket Deny, because the latter
actually turns out to be more fingerprintable. Whereas Deny should be
indistinguishable from Ask with a negative response.

------
josteink
> Each brings the browser closer and closer to my desktop, and seems solely
> driven by ChromeBook developers.

Yes. So let’s reject them all.

Let sane desktop browsers tell the web that these APIs don’t exist in a
meaningful way, and that building applications that rely on them is a waste of
time.

Mozilla, Microsoft and Apple? Pretty please?

