Hacker News new | ask | show | jobs
by ianhowson 2540 days ago
There are. Let them set a setting or confirm on a popup. The vast majority of web users do not want this.

Similarly, there are legitimate reasons why I might want to access a service with an invalid SSL cert. They're rare and should be discouraged for general users.
1 comments
Avamander 2540 days ago
Vast majority of users don't want CSRF-able software either. Let's first discourage such garbage software before making workarounds. In addition to that, those workarounds most likely will not eliminate all the possible issues and buggy software still gets exploited.
link
ianhowson 2540 days ago
Not every TCP server speaks CSRF.

This isn't about 'garbage software'; it's about the expectation that a local LAN is not exposed to the Internet and therefore does not need the same security controls that an Internet-facing network does.

Browsers making requests on the LAN breaks this expectation.

Before someone says "but I don't expect that", well, why do you even have a firewall? With the notable exception of Google/BeyondCorp, practically every LAN in the world expects to trust its members. Having untrusted code in browsers able to send requests on the LAN violates that expectation.

link
Avamander 2539 days ago
a) You can't establish a plain TCP connection with arbitrary content using a browser.

b) Excepting LAN to be always secure, or okay to keep unsecured is a terrible assumption that has been proven wrong numerous times, it is time to trash that assumption once and for all.

link
smashingfiasco 2540 days ago
Implementing CSRF doesn’t stop an outside party from finding out that you have (for example) an AppleTV inside your network. The device will still return a HTTP status code. You could legit spy on end users this way. A real boon for ad tech, too.
link
Avamander 2539 days ago
Such specific detections could be countered by Apple, it serves no good adtech purpose if they can determine some small amount of devices existing on a LAN.

In general though, this isn't be a problem on proper IPv6 LANs and instead of buggy and cumbersome workarounds being built into browsers we should just switch.

link