Coffeehouse Thread

12 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Software using localhost as a proxy - security concerns?

Back to Forum: Coffeehouse
  • User profile image
    GoddersUK

    I recently installed an update to a piece of software that puts all browsing through a proxy running on 127.0.0.1 (port 8777) (there IS good reason for this and it's more effective than how the previous version of the software worked). Since I'm not an expert in such matters I'm slightly concerned that this could also be open and internet facing - opening my computer to security threats from anyone who knows/guesses my IP address. Is this case?

    Will keeping it blocked on Windows Firewall eliminate any potential risk (so far as I can tell it still functions as intended when blocked)?

  • User profile image
    DaveWill2

    56 minutes ago, GoddersUK wrote

    *snip*

    I'm slightly concerned that this could also be open and internet facing

    *snip*

    By "this" do you mean 127.0.0.1 (port 8777) or the proxy's internet facing side?

    The loopback range 127.0.0.0/8 is supposed to be dropped if any of those packets should get on the network.  Those packets are not supposed to be on the network.

    The proxy's internet facing side ... if the proxy were keeping listening ports open you could check it out by doing a netstat -ano and seeing what ports are listening, cull out the known ones, and investigate the unknown ones.

  • User profile image
    cheong

    Listeners bindling to loopback listen only to loopback and no other places. The people outside can't connect to it even if your firewall is off.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    AndyC

    @GoddersUK: If it's only ever listening on the loopback address, it's not even an issue to begin with. The network stack will ignore packets claiming to be destined for 127.0.0.1 that come from a remote machine long before any application sees them.

    If it's listening on all addresses but you use WF to block communication from outside, without it breaking, then again you're safe (although the software probably shouldn't have done that in the first place) and I'd carry on using it in that config.

  • User profile image
    evildictait​or

    It depends how they opened the socket.

    For example, in C# you can get either behaviour:

    // This form is loopback only and not visible from outside of your machine:

    listener = new TcpListener(new IPEndPoint(IPAddress.Loopback, port));

    // this form exposes the port:

    listener = new TcpListener(new IPEndPoint(IPAddress.Any, port));

    Assuming you're running Windows Firewall, you'll get a prompt with the latter to ask you if you want to add an exception to punch a hole through the firewall. If your program gave you a Windows Firewall prompt, then you might want to make a feature request to the product team to allow you disable it.

    If you didn't see a prompt, you're probably safe.

  • User profile image
    GoddersUK

    Thanks for the info guys. This is what I'm seeing:

    Generic Forum Image

    I have no idea what the software is actually listening too (ie. if it's listening for all attempted connections or only those arising from this computer.

    @evildictaitor: I did get a Windows Firewall prompt. So this implies it's listening for incoming connections? (There's no reason that I can see for it to need incoming external connections and it appears to function perfectly when incoming connections are blocked on Windows Firewall).

    I need to post on their support forums for an unrelated issue so I'll raise this with them then too.

  • User profile image
    GoddersUK

    , DaveWill2 wrote

    *snip*

    By "this" do you mean 127.0.0.1 (port 8777) or the proxy's internet facing side?

    I mean I'm concerned the proxy that the software has installed on my machine could be accessible from other machines.

  • User profile image
    Sven Groot

    Run "netstat -a". If there's something listening on port 8777 on anything other than the loopback address, then you could have a problem. Of course, if you use a firewall, it still shouldn't be an issue.

  • User profile image
    evildictait​or

    And bear in mind that normally you won't be directly connected to the Internet - your router will normally have a firewall too (that's why you can't normally run an Internet-accessible webserver from your laptop)

  • User profile image
    GoddersUK

    @Sven Groot: I see nothing (although it is already blocked by my firewall) so I won't worry too much

    @evildictaitor: ATM I'm connected to a large university hall of residence network so it's always a good idea to be suspicious. You can't trust who or what you're connecting to - a while back they had a problem with malware on connected computers pretending to be the DHCP server and infecting unpatched machines. Similarly when I connect to the main university network (since I'm not normally in halls).


    Anyway I think I'm safe atm. Thanks guys!

     

  • User profile image
    evildictait​or

    You can't trust who or what you're connecting to - a while back they had a problem with malware on connected computers pretending to be the DHCP server and infecting unpatched machines.

    If you're on a university campus you'll have a big external firewall because the university will be sitting behind a big NAT, so you're probably good.

    If you're in the csci department at your university, you might want to check (via Wireshark) that all of the machines are link-local isolated. Unfortunately there are design bugs in the TCP/IP stack that mean that computers who are situated next to you can do nasty things to your machine (e.g. ARP poisoning and DHCP poisoning (which can lead to DNS poisoning as well as network boot), as well as sending your network card network-on/network-off packets if they're enabled).

    The canonical solution for this is to have all of the machines on the network living in their own subnet, preventing different machines on the network to DHCP or ARPing each other. If you do that, you only have to trust the routers aren't compromised, you don't have to care about the machines that are connected.

  • User profile image
    AndyC

    , evildictait​or wrote

    *snip*

    If you're on a university campus you'll have a big external firewall because the university will be sitting behind a big NAT, so you're probably good.

    A lot of University networks won't actually be behind a NAT at all, because they were the ones who got the initial set of Class B networks, so often they're actually handing out publically addressable IP ranges internally (they really should and probably are firewalled these days, however).

    That said, it's probably unlikely in most cases that there is much in the way of internal segregation between student residences, so it's definitely worth making sure your machine is treating the university network more like a public network than a private one.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.