Port Authority

[ACK-J]

Basic Information

Name: Port Authority
Category: Browser Add-ons
URL: https://github.com/ACK-J/Port_Authority
Blog Post: https://www.g666gle.me/Port-Authority/
URL: https://addons.mozilla.org/en-US/firefox/addon/port-authority/
Section of PrivacyGuides: https://privacyguides.org/browsers/#addons

What does this addon do?

1. Blocks all possible types of port scanning through your browser (HTTP/HTTPS/WS/WSS/FTP/FTPS)
2. Dynamically blocks the ThreatMetrix tracking scripts made by one of the largest and least ethical data brokers in the world (Lexis Nexis)
3. Easily auditable, with the core functionality being about 250 lines of code. HERE
4. Gives a nice notification when one of the above scenarios are blocked
5. This addon doesn't store/transmit/log any data or metadata about you or your requests... because, ya know, privacy

Test All Forms of Port Scanning

• A webpage I made to test all forms of scanning in one location: https://www.g666gle.me/PortScan.html

UI and Functionality

The GUI allows you to toggle functionality of the addon and view blocked items.	Chick-fil-A attempting to run ThreatMetrix scripts but being blocked by Port Authority.	Discord port scans your computer using websockets, attempting to connect with the desktop Discord app.

Why I wrote this addon?

I was intrigued back in May of 2020 when eBay got caught port scanning their customers. I noticed that all of the articles covering this topic mentioned that there was nothing you could do to prevent it... so I wanted to make one. After going down many rabbit holes, I found that this script which was port scanning everyone is, in my opinion, malware.

Here's why I think that:

• The browser data being exfiled from your computer is encrypted into an image with XOR.
• The domain it reaches out to is made to look legitimate but redirects using a CNAME record to Lexis Nexis' servers.
• It can determine your “real IP” address even if you use a VPN / Proxy HERE.
• The javascript is assembled via string.join (like malware often does) and then executed in a service worker.
• Each time you load the page, the javascript is re-obfuscated.
• The script collects 416 pieces of personally identifiable information about you and your network. ( Shown HERE )

So I developed multiple ways to stop this. The first being the existing functionality built into Port Authority. By default, Port Authority will check the sites that your browser reaches out to, and if it redirects to Lexis Nexis' infrastructure, it will be blocked, and you will receive a notification. The second is a Python script I wrote which uses Shodan to find all of Lexis Nexis' customer-specific domains on the internet HERE. You can add the script's output to a blocker such as uBlockOrigin to prevent your computer from connecting to them.

[PhysicsIsAwesome]

Is using the filter list "Block access to LAN" in uBlock Origin not enough to prevent port scanning?

[ACK-J]

Yes and no, Look below at my comment under tommytran732 :)

[TommyTran732]

Well I am working on the browser PR right now and we are very cautious with browser extension recommendations. Right now, uBlock Origin is the only browser extension we recommend and IMO PG should not add any extensions unless it is absolutely necessary.

There are several things at play here:

1. Shouldn't the user already have an inbound firewall to protect them (if its actually trying to scan their public IP)? I do intend to write about this at some point when the OS section is reworked.
2. Whatever open port the user has should be secured. If someone knowing of an open port on your system is a problem, then your security is messed up and that needs to be fixed. I don't even worry about port scanning on my servers.
3. I don't see how it can determine the user's real IP. If this is the case though, this is a serious problem. Could you elaborate more on this? Your screenshots looks like it's just trying to open websocket connections.
4. In order to exfiltrate data on your computer, shouldn't a malicious website have to exploit a vulnerability in the browser itself to accomplish that? If browser vulnerabilities is an issue, then wouldn't sandboxing the browser be a better idea?

[TommyTran732]

Where did you get this data?

[TommyTran732]

I found this on Firefox https://www.ctrl.blog/entry/block-localhost-port-scans.html
It should block this. I am looking for Chromium based right now

[ACK-J]

It was decrypted ( I forget who exactly ) using the python script given in that Dan Nemec blog.

[ACK-J]

I found this on Firefox https://www.ctrl.blog/entry/block-localhost-port-scans.html It should block this. I am looking for Chromium based right now

Just skimming that article it looks like it is a much more "permanant" and hacky solution, composed of 8+ steps (not very convienient to turn off in my opinion), as browsers do need to talk to localhost in dev situations. Port Authority ( or even uBO ) is much more thorough than this article as it only blocks 127.0.0.1 and localhost.

Also addressing your chromium comment. Hopefully soon I will find the time to port Port Authority over to chromium :)

[ph00lt0]

I believe this can be marked as answered. It's a nice project but doesn't really provide more protection then ublock origin does now. @TommyTran732

[SkewedZeppelin]

Kindly, I don't see the benefit to this.
Your list of their domains are all cnames of *.online-metrix.net.

uBlock Origin already has CNAME uncloaking and a (default disabled) list to block LAN access.
uBlock Origin already blocks online-metrix.net by default through the AdGuard tracking and Peter Lowes' list.

I've had this domain in my mobile and experimental blocklist since 2015, which is included in my combined list: https://divested.dev/index.php?page=dnsbl
It is also in many other lists people are already likely to use, such as OISD and @lightswitch05's.