mailto: blog -at- heyrick -dot- eu

Of browsers and sockets

There is a proposal for raw socket support (UDP or TCP) to be implemented in browsers. This is supposedly useful for things such as secure shell, oddball printer protocols, and various IoT devices that refuse to use normal protocols.
By working at a lower level, it is supposed to be more capable than existing methods (such as WebSocket, WebRTC, and XMLHttpRequest).
Traditionally the lower level protocols were implemented by various plugins such as Java applets, ActiveX, Flash, Silverlight.... but since browsers run on all sorts of devices and the plug-ins don't, they have largely been consigned to history.
The explainer document says that potential security threats can be mitigated by popping up some sort of dialogue that allows the user to accept or reject the connections being requested, and that all "local" addresses would be blocked (unless the raw IP address is entered by the user).

Sounds good, right? The rise in capable web applications (from Docs to Netflix) is because the "write once use everywhere" strategy is much cheaper than having capable native applications. I have written a lot about the limitations of Docs' Android app (compared to the web version).

The problem is that reality often doesn't match the aspirations. Browser authors are in the enviable position of writing what is near enough an operating system, without having to worry about the hard parts like filing systems and talking to diverse and oftentimes weird bits of hardware and the responsibility of getting it rock solid. Remember that the next time your browser crashes.
Development is sometimes seen as "adding things that sound cool" without thinking through the implications for potential abuse, or simply not caring much about the issue. It's somebody else's problem, right?

Why did browsers need access to timers with resolutions high enough to allow Meltdown/Spectre to be demonstrated in JavaScript?
Why do browsers need to be able to access the state of the device's battery? That's something the OS should look after, and nothing that a browser should concern itself with. It was devised, ranked as minimal privacy impact, implemented, and discovered being used and abused just prior to its formal introduction. As a result of this, the API was quietly withdrawn. But questions remain over what sort of oversight went into assessing the API both as "minimal" privacy impact, and indeed, implementing it at all. The web is too mature and too malicious to have people implement stuff simply because it sounds like a good idea.

Think about it. What is the most annoying message that you receive from your browser day to day? Those ones about cookies, right? Those aren't created by the browser, they are created by the websites that bother to pay some degree of attention to EU privacy laws.
Browsers are still stuck with three levels of cookie support - reject all, allow from the domain in question, or allow from everywhere.
This granularity is hopelessly broken with many big sites using multiple domains and CDNs. YouTube, for example, is not everything hanging off *.youtube.com. You may see *.google.com, ytimg.com, *.googleapis.com and others. Which means that support for third party cookies are necessary for a lot of this stuff to work correctly, but that then means that unwanted trackers and profilers can also set cookies on your machine.

Then there's JavaScript. This is even better. In the majority of cases, it is either on or off, with it being on by default. This is understandable as a lot of the web these days works by using some client side intelligence. I have just looked at mobile Chrome (on my phone) for this site. Tap on the padlock and it's possible to access site settings. Here, I can give permission to allow/disallow... sound. What about scripting? What about cookies? Well, these are in the main settings (under Site settings).
Cookies? Allow all, block third party in incognito, block third party, or block all. It's possible to add site block exceptions, on a site by site basis.
Likewise scripting is on or off only. As for the cookies, it is possible to add blocks on a site by site basis.

The problem is that most people don't know what is pulled in by the sites that they visit. I just visited the Daily Express. I don't read that rubbish, but I know it's a site full of bloat.
Ready? agkn.com, amazon-adsystem.com, chartbeat.com, consensus.org, cpx.to, d2q1qts33ql2r.cloudfront.net, facebook.net, fonts.googleapis.com, google-analytics.com, googleadservices.com, googletagmanager.com, googletagservices.com, grapeshot.co.uk, indexww.com, moatads.com, onthe.io, s-onetag.com, scorecardresearch.com, sharethrough.com, twitter.com, and webcontentassessor.com.
Phew!

A user must find out all those domains and block them one by one? Why not "allow express.co.uk and maybe the fonts and block the rest?".

The plethora of Google domains in there probably explains why one cannot ever trust Chrome as a secure privacy-respecting browser. The organisation behind it is no longer "a search engine". Their prime directive these days is to track and profile, and to push "relevant advertising".

So, let's be honest, how are we supposed to trust browser creators to respect security and privacy in something that could have great implications, when they do such a lacklustre job at handling the security and privacy aspects of cookies and Javascript, things that have been around for decades.

Sadly the majority don't care what goes on in the background, so long as <Social$Media$Bollocks> works as they expect it to. So browsers generally aim for the lowest common denominator - to offer a set of options that has barely changed since ANT Fresco back in '99. Which is a ridiculous state of affairs coming from a company that will sometimes go out of their way to reject your browser if they determine it to be "insecure" (too old).

I use Firefox with Ghostery/UBlock Origin. Everything is blacklisted by default. But note, these are extensions that I added myself. Granted, Firefox can do it, but it would really be better if this sort of thing was a standard option within the browser.

And this? Low level socket access in browsers? How long until this is badly abused?

 

The bramble patch

Perhaps in order to atone for getting up late (got up at half six, made a tea, when back to bed and slept until quarter to ten!) or to atone for probably zoning out with Netflix tomorrow, I went and did some work in the bramble patch. Mainly raking away the bits of stalks and other chaff. It was around ten wheelbarrows full.
In my defence, the first week back at work after the holiday is always difficult. Well, that's my excuse for this week. ☺

A cleared bit of land.
Things look better without broken bits all around.

 

Hmm, as I'm writing this, Dark Moor are on PPN Radio with a power ballad called "Gara & Jonay". It's like something from a "classic '90s" station, not the usual sort of songs this station plays. To put it into context, the one playing now (next) is "Roots of Reality" by Gwyllion.

 

UP kitty!

Had Anna out for a while around lunchtime. Hyperactive atomic kitten attacking my leg, and demonstrating an amazing ability to hunt and slaughter ghosts, and... of course... failing to understand that what goes up must by necessity come down.

She scampered up the side of the cherry tree. Up, up, and a little further up. Until the "oh crap" moment, at which point she spent minutes mewing pathetically.

A small kitten in a big tree
"Holy hell, that's a LONG way down from up here!"

Well, sorry furball, if you're to be trusted outside, you'll need to figure out how to get yourself down. I wonder if French firemen have the concept of rescuing cats stuck in trees?

She eventually made it down, with me talking to her, indicating where she ought to go (totally ignored, of course), and helping her down the final half metre because there was nothing to cling on to despite the fact that she jumps down from higher when she's sitting on the windowsill of her stable.

On the ground, she ran like a psycho to the front door, pulled a handbrake turn (with tyre smoke and everything), charged right past me at high speed and right up the tree.

Again. 🤦

 

After leaving her to extricate herself a second time, I decided it would be best if she went home and took a time out with a bowl of kitten food.

 

Don't wanna know about 2020

One of my sunflowers has the perfect response to realising that it is 2020.
A closed sunflower
"2020? No. Just NO.
I understand, I feel the same. I'd like to go to bed, pull the duvet over my head, and wake up in 2022 when Trump is no longer president, Netflix gets over their penchant for cancelling stuff on the flimsiest reasons, and we aren't at risk of the unforgiving plague...

 

 

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

David Pilling, 24th August 2020, 04:14
The BBC... are telling us at the moment (in an advert) that adult cats only meow at humans. And going off topic that dogs have evolved to raise their eyebrows.
Rob, 25th August 2020, 02:02
I've heard it said that cats don't meow at all normally one they get past kittenhood, but those that live with humans don't stop because us humans keep making noises at them!! 
 
On sockets ... I've got mixed views. Raw sockets are going to be abused SOOOO much... but then, I've got an old Windows application that dates from the Win3.11 era, that will run under emulation *in-browser* but needs to be able to talk tcp/ip to a server. So having access to sockets would be handy for that. 

Add a comment (v0.10) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 03462 backwards.
Your comment
French flagSpanish flagJapanese flag

Calendar
«   August 2020   »
MonTueWedThuFriSatSun
     
1213
181921
242527
31      

Last 5 entries

List all b.log entries

Return to the site index

Geekery

Search

Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.

Etc...

Thank you:
  • Fred
  • Bernard
  • Michael
  • David

Last read at 14:45 on 2020/09/29.

QR code


Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0

 

© 2020 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.

 

Have you noticed the watermarks on pictures?
Next entry - 2020/08/23
Return to top of page