back to article Knock, knock. Who's there? NAT. Nat who? A NAT URL-borne killer

Ben Seri and Gregory Vishnepolsky, threat researchers at Armis, have found a way to expand upon the NAT Slipstream attack disclosed last year by Samy Kamkar, CSO of Openpath Security. The original NAT Slipstream potentially allowed a miscreant to access any TCP/UDP service tied to a victim's machine by bypassing the victim's …

  1. LDS Silver badge

    Web browsers need a built-in firewall....

    As long as they try to become an OS, they need it too... all the WebXXX features are just too dangerous to let code you download from external sources use them.

    1. Duncan Macdonald Silver badge
      FAIL

      Re: Web browsers need a built-in firewall....

      With one rule - NO JAVASCRIPT

      Every browser security bug that I can remember depends on the ability to make the browser execute code (ActiveX, Flash, Javascript etc). If a browser was only a browser (HTML only - no Javascript or other means of executing code) then the whole browser security mess would disappear.

      (What legitimate activities require scripting in the browser instead of in the server ?)

      It is possible to use The Register with scripting disabled - why can that not become the norm for all sites?

      Icon for the poor security in Javascript. =====================>

      1. Number6

        Re: Web browsers need a built-in firewall....

        There are useful things that javascript can do, such as hide/display various bits of text and re-jig drop-down menus based on selections in other menus. That level of functionality does not need any ability to generate network traffic though.

        One of the biggest dangers with javascript is the malicious scripts occasionally delivered by ad servers. If all the ad stuff could be done server side then (a) we'd be a lot safer and (b) ad blockers probably wouldn't hide the ads because they could be streamed in from the main site without any of the obvious flags of an advert.

        1. Neil Barnes Silver badge

          Re: Web browsers need a built-in firewall....

          Well, I'd be happy to see Javascript and its ilk go the way of Flash.

          But then, I don't live my life in a browser. YMMV.

        2. Jamie Jones Silver badge

          Re: Web browsers need a built-in firewall....

          One of the biggest dangers with javascript is the malicious scripts occasionally delivered by ad servers.

          Whilst that's true, the solution is to fix the exploits the scripts use, not simply ban third party ads, and assuming the problem will go away (Of course, banning 3rd party ads is great for other reasons!)

          I knew the expanded functionaility creep given to javascript would cause issues. It would be nice to disable all javascript apart from DOM-manipulation, and similar. 99.99% of sites that use javascript would then work.. The WebRTC and other networking stuff should be opt-in per site, or completely killed with fire!

          I use relatively obscure private lan addresses for my internal hosts.. It turns out, thanks to WebRTC, that makes it easy to fingerprint me :-(

      2. Anonymous Coward Silver badge
        Childcatcher

        Re: Web browsers need a built-in firewall....

        > "Every browser security bug that I can remember"

        Oh, the naivety of youth! I can remember multiple image codec bugs which were exploitable through browsers. Yes, a pure (ascii) text only internet experience would probably be safe, but also pretty boring. Graphics improve the experience, while introducing risks. Scripting even more so.

        Flash however made the experience worse and introduced a lot of risks. Thankfully that's dead now.

        1. Jamie Jones Silver badge
          Happy

          Re: Web browsers need a built-in firewall....

          Oh, the naivety of youth!

          Oh, the naievty of Windows users!

        2. Duncan Macdonald Silver badge

          Re: Web browsers need a built-in firewall....

          Hardly a youth (unfortunately!) - I am 67 next month and I started in computing about the same time as Intel produced the 4040 - well before Microsoft started.

          Among the older computers that I have used IBM 360/65, Data General Nova 2, PDP-11 (multiple types), VAX and MicroVAX (multiple types), Alpha, 68000/68020/68030, 8086/286/386 . How many of the readers here remember using an ASR-33 to prepare a paper tape ?

          1. herman Silver badge

            Re: Web browsers need a built-in firewall....

            Paper tape is a fairly modern invention. I started with punch cards on a Sperry-Univac.

  2. don't you hate it when you lose your account Silver badge

    Unsure whether

    To blame modern browsers or the old bastard known as NAT. But it makes for a messy situation.

    1. quxinot Silver badge

      Re: Unsure whether

      Dunno, i thought it was an excuse for that title, really.

    2. FILE_ID.DIZ

      Re: Unsure whether

      The solution is IPv6, but indirectly.

      Once you get used to the fact that NAT (eg: public to private IP addressing, specifically) is not a security boundary, people will (should) tighten up their overall IT security stance.

      RFC1918/3927 has made people complacent and soft.

      1. Missing Semicolon Silver badge
        Unhappy

        Re: Unsure whether

        Yes, but SIP has to work with IPV6 too. So IPV6 routers will be opening random ports to the LAN in the same way.

        Oh, and "people will (should) tighten up their overall IT security stance"... don't hold your breath for most consumer kit.

    3. Anonymous Coward
      Anonymous Coward

      @don't you... - Re: Unsure whether

      NAT works as designed. I would blame the dumb guy who had the idea to allow a firewall the possibility of opening ports for inbound traffic at will and without asking.

  3. Number6

    I'm glad that OpenWRT doesn't seem to be vulnerable, makes me glad I'm running it when things like this crop up.

  4. lesession
    Pint

    Well played on the headline

    That is all. beer to whoever came up with that one!

  5. Jamie Jones Silver badge
    Happy

    If we could +1 an article...

    ... I'd +1 this for the truly awful(!) puntastic article sub-heading!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021