Google says that its Chrome browser will soon block internet websites from querying and interacting with devices and servers located inside local private networks, citing security reasons and past abuse from malware operations.
Being a network security specialist, I’ll ask these basic questions:
what’s the universal definition of a private network?
does this measure make sense in IPv6 within the global scope?
is it the responsibility of the browser to secure against DNS rebinding?
My answers to these questions are:
there is no universal definition, so this approach is doomed by design
no
heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.
Being a network security specialist, I’ll ask these basic questions:
My answers to these questions are:
Host/:authorityheader should always be verified, and this is sufficient to counter all forms of DNS rebinding.