Google Testing Feature to Block Malicious Websites from Attacking Home Devices
Google is currently experimenting with a new feature that aims to prevent malicious public websites from using a user’s browser to attack devices and services on private networks. This feature is designed to protect devices such as printers and routers that are typically considered safe as they are not directly connected to the internet.
This new feature, called “Private Network Access protections,” will be in a “warning-only” mode in Chrome 123. It conducts checks before a public website is allowed to direct a browser to visit another site within the user’s private network. The purpose of this feature is to shield users’ private networks from potential threats.
Under this new proposal, when the browser detects that a public site is attempting to connect to an internal device, the browser will send a preflight request to the device first. If there is no response, the connection will be blocked, but if the internal device responds, it can tell the browser whether the request should be allowed.
The motivation behind this feature is to prevent malicious websites on the internet from exploiting flaws on devices and servers in users’ internal networks, which were presumed safe from internet-based threats. This development is intended to protect against unauthorized access to users’ routers and software interfaces running on local devices—a growing concern as more applications deploy web interfaces assuming nonexistent protections. The feature is not meant to secure HTTPS connections for local services but aims to mitigate risks like those from “SOHO Pharming” attacks and CSRF (Cross-Site Request Forgery) vulnerabilities.
The feature is still in the testing phase, and Google is currently warning developers of potential issues and how to adjust before stricter enforcement begins. This development is an important step in improving the security and protection of users’ private networks from external threats.
