Comment by WhyNotHugo

7 days ago

I'd split that first list into two:

1a. Arbitrary apps can listen on ports without permissions.

1b. Arbitrary apps can access local ports without permissions.

I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.

7 comments

WhyNotHugo

throwawayffffas 7 days ago

> I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons.

Let me introduce you to https://www.qubes-os.org/.

alchemist1e9 7 days ago
For the ultra paranoid is there anything that can do this on a smartphone?
- const_cast 7 days ago
  
  I believe GrapheneOS has true sandboxing.
- WhyNotHugo 6 days ago
  
  Nothing out of the box, but you can run VMs in a similar fashion (eg: qemu).

mzajc 7 days ago

uBlock Origin ships with a "Block Outsider Intrusion into LAN" filter that I believe is enabled by default. I don't know if it works on the neutered Chrome version, but on Firefox it works so well I've had to add a few whitelists for cases where I do want access to LAN or localhost.

penguinjanitor 6 days ago
disabled by default, because it can break stuff which is not explicitly allowlisted
- account42 6 days ago
  
  And even if you enable it, it has an extensive allowlist that probably includes things you don't want.