> Can you please elaborate on the analysis: how low is the usage and how did you check that the use is malware?
The Blink.UseCounter.Feature for PrivateNetworkAccessNullIpAddress shows <https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d> below 0.001% on all platforms. We've had multiple reports of malware leveraging this to attack specific developer tooling frameworks, e.g. https://crbug.com/40058874. > Also, just to confirm, this is an intent to deprecate and remove but you're planning on rolling out the removal gradually via finch, right? Correct. On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin <[email protected]> wrote: > > > On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev < > [email protected]> wrote: > >> Chrome Status doesn't generate emails for the deprecation trails, only >> developer trials, so I've repurposed that here. This is a Finch managed >> rollout, not a developer opt-in, due to the extremely low usage that seems >> to be almost entirely malware. >> > > Can you please elaborate on the analysis: how low is the usage and how did > you check that the use is malware? > > Also, just to confirm, this is an intent to deprecate and remove but > you're planning on rolling out the removal gradually via finch, right? > > Thanks! > Vlad > > >> >> On Mon, Jun 3, 2024 at 12:03 PM David Adrian <[email protected]> wrote: >> >>> Contact [email protected] >>> >>> ExplainerNone >>> >>> Specificationhttps://wicg.github.io/private-network-access >>> >>> Summary >>> >>> We propose to block access to IP address 0.0.0.0 in advance of PNA >>> completely rolling out. Chrome is deprecating direct access to private >>> network endpoints from public websites as part of the Private Network >>> Access (PNA) specification ( >>> https://developer.chrome.com/blog/private-network-access-preflight/). >>> Services listening on the localhost (127.0.0.0/8) are considered >>> private according to the specification ( >>> https://wicg.github.io/private-network-access/#ip-address-space-heading). >>> Chrome's PNA protection (rolled out as part of >>> https://chromestatus.com/feature/5436853517811712) can be bypassed >>> using the IP address 0.0.0.0 to access services listening on the localhost >>> on macOS and Linux. This can also be abused in DNS rebinding attacks >>> targeting a web application listening on the localhost. Since 0.0.0.0 is >>> not used in practice (and should not be used), but was overlooked during >>> https://chromestatus.com/feature/5436853517811712, we're deprecating it >>> separately from the rest of the private network requests deprecation. This >>> will be a Finch (experimental) rollout, rather than a Developer Trial. >>> >>> >>> Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>> >>> Search tagssecurity <https://chromestatus.com/features#tags:security>, >>> Private >>> Network Access >>> <https://chromestatus.com/features#tags:Private%20Network%20Access> >>> >>> TAG reviewNone >>> >>> TAG review statusNot applicable >>> >>> Chromium Trial NamePrivateNetworkAccessNullIpAddressAllowed >>> >>> Origin Trial documentation linkhttps://crbug.com/1300021 >>> >>> WebFeature UseCounter namekPrivateNetworkAccessNullIpAddress >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> None >>> >>> >>> *Gecko*: Closed Without a Position ( >>> https://github.com/mozilla/standards-positions/issues/143) >>> >>> *WebKit*: Support ( >>> https://github.com/WebKit/standards-positions/issues/163) >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> >>> Goals for experimentation >>> >>> >>> >>> Ongoing technical constraints >>> >>> Eventually, all private network access will be limited according to the >>> developing Private Network Access spec. >>> >>> >>> Debuggability >>> >>> None >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, ChromeOS, Android, and Android WebView)?Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?No >>> >>> Flag name on chrome://flagsblock-null-ip-address >>> >>> Finch feature namePrivateNetworkAccessNullIpAddress >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://crbug.com/1300021 >>> >>> Estimated milestones >>> Shipping on desktop 133 >>> Origin trial desktop first 127 >>> Origin trial desktop last 133 >>> DevTrial on desktop 127 >>> Shipping on Android 133 >>> OriginTrial Android last 133 >>> OriginTrial Android first 127 >>> DevTrial on Android 127 >>> Shipping on WebView 133 >>> OriginTrial webView last 133 >>> OriginTrial webView first 127 >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5106143060033536 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com.
