Google Testing New Feature to Protect Devices and Services on Private Networks
Google has announced that it is currently testing a new feature aimed at preventing malicious websites from attacking devices and services on users' private networks. This feature, called "Private Network Access protections," is being introduced to ensure the safety and security of devices such as printers and routers that are not directly connected to the internet.
Typically, devices on a local network are considered safe as they are protected by a router. However, there is still a risk of bad websites on the internet attacking these devices. To address this, Google's new feature will conduct checks to verify if a public website is attempting to direct a user's browser to visit another site within their private network. These checks include ensuring that the request comes from a secure context and sending a preliminary request to see if the internal site permits access from a public website.
The focus of this feature is to protect users' private networks from potential threats, particularly those that could result in unauthorized access to devices and servers. For example, Google provided an illustration of a CSRF attack where an HTML iframe on a public website could change the DNS configuration of a visitor's router on their local network. The new feature will detect such attempts and send a preflight request to the internal device. If the device does not respond or responds with restrictions, the connection will be blocked unless explicitly allowed.
During the testing phase, the feature will be in a "warning-only" mode. This means that requests will not be blocked if the checks fail, but developers will receive a warning in the DevTools console. This gives developers an opportunity to adjust before stricter enforcement begins. However, Google advises that an automatic reload by the browser could bypass the feature, so they propose blocking auto-reloading of a page if the Private Network Access feature has previously blocked it.
The overall motivation behind this development is to protect users' internal networks from exploitation by malicious websites. By preventing external websites from making harmful requests to resources within the private network, Google aims to mitigate risks from attacks and vulnerabilities. It's worth noting that while this feature focuses on security measures, ensuring HTTPS connections for local services is a crucial step in integrating public and non-public resources securely, although this is not included in the current scope of the specification.
As Google continues to refine and test this new feature, it demonstrates the company's commitment to enhancing cybersecurity measures and safeguarding users' devices and networks. By proactively addressing potential threats, Google is working towards creating a safer online environment for all users.
Analyst comment
This news can be evaluated as positive as it introduces a new feature aimed at preventing malicious public websites from attacking devices and services on internal networks. The feature will conduct checks and provide warnings to developers, giving them time to adjust. It focuses on shielding users’ private networks and mitigating risks from attacks. Standard enforcement will begin after the warning stage. In the market, this development may increase user confidence in browsing and enhance security measures.