Though you may think your home network is secure, attackers may be able to sneak in through your web browser and leverage vulnerabilities to pivot to internal devices. This is especially true for Internet of Things (IoT) equipment, which is notoriously insecure, requiring
regular patches or even warnings from the
federal government. However, while it is feasible with just about anything on your home network, but Google is looking to prevent that with a new feature of Google Chrome and Chromium dubbed Private Network Access.
Private Network Access, formerly known as CORS-RFC1918, “is a web specification which aims to protect websites accessed over the private network (either on localhost or a private IP address) from malicious requests from websites located outside the private network.”
Typically, devices on a home network might assume they are secure by means of being on the owner’s local intranet or machine and thereby unreachable from the internet. However, this is simply not the case as accessing a website exposes your intranet, allowing an attacker to hop from the outside in and compromise your devices.
PNA
looks to address this in a few ways, firstly by blocking non-HTTPS websites from public IP addresses from making requests to private IP addresses or the localhost. This first step is indicative of the larger means of securing private networks, though, wherein generally, private network requests are blocked if they come from non-secure contexts.
As it stands, this feature is in development and will be rolled out initially in a warning mode, which will eventually turn into a full blocking mode once people have made necessary adjustments to the change. All told, this could prove to be an incredibly useful
security feature that lies in the background and won’t affect end users all that much.
Hopefully it won’t take too long to get this out there, but in the meantime, end users should always be aware of the links they are clicking and only access sites which they trust. You never know what could be lurking out there on the internet trying to pwn your home network.