In Protest of the Web{*} Bulldozer

Venting my frustrations about new web standards

Come off it Mr. Dent. You can’t win, you know. You can’t lie in front of the bulldozer indefinitely.

This isn’t all THAT big deal…

After about half an hour of research, this is what I found.

  • In Firefox, WebSockets can’t open to port 21, 22, or 23. The console spits back the same SecurityError. I was hoping that WebSockets would be blocked for privileged ports (< 1024), but it didn’t raise an error for port 24. It seems that Firefox maintains a blacklist? (I didn’t investigate this further, or build a complete list of ports.)
  • Finally, I ran a simple netcat listener on my machine, and opened a WebSocket to it. Netcat spit out an HTTP request with a few headers indicating it was a WebSocket. The console wouldn’t let me send data until the connection was established, either.
  • Furthermore, I tried to open a WebSocket to localhost from the console while on eBay, but discovered it was blocked by a Content Security Policy — a header sent from the website. (Very curious! I had assumed it was some 3rd party script was doing the port scanning and eBay didn’t know… but it seems that whatever script that runs would need to work in conjunction with whatever sent the CSP!)

A brief aside on port scanning

The author of the aforementioned article inferred that port scanning was a slightly offensive operation. I agree, but with one caveat.

…but I’m still frustrated.

Over the past decade, I’ve watched the emergence of what I’ll refer to as Web{*} technology. It’s a bit of a cloudy, vague term… but I can give you some examples of it. (Though the curly braces don’t exist on the standards, I felt it helped illustrate my point better.)

  • Web{Bluetooth}: Allows the browser to access Bluetooth devices through your computer
  • Web{RTC}: Enables your browser to do “real-time communication”
  • Web{Assembly}: Enables binary executables to run in your browser
  • Web{GL}: Allows your browser to communicate with your GPU
  • Web{USB}: Allows your browser to enumerate and communicate with USB devices. (Are you KIDDING me?!)
  • Web{???}: Allows your browser to access the accelerometers and other sensors on your system. At one point, it could read your battery charge status. (After particularly bad PR, the battery feature was deprecated.)
  • Each is difficult to disable, and likely lies hidden deep in about:config.
  • Each can be used to further fingerprint, identify, and exploit the user — but it seems that the feature developers either don’t think that this will happen, or don’t care. Perhaps it’s even their intention!
  • Each adds a MASSIVE layer of complexity to the browser. Anyone want to try an accelerometer based side channel attack to recover keyboard strokes in separate windows?
  • Each brings the browser closer and closer to my desktop, and seems solely driven by ChromeBook developers.
  • For the rest of the web, each is an unnecessary gimmick.

Tim builds circuit boards in Virginia Beach, and enjoys writing about current events, history, theology, and philosophy.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store