Checking out the initial request on github for this feature I wonder why is this necessary? What access does to the local network does the browser provide, or need to provide, and why isn't this something developers are more concerned about? I had a feeling this was possible as I see lots of mdns requests when I connect to certain things running sockets.
Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name.
So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels.
That would be quite clever for an incredibly horrible website. The other day my SO, who is a Turkish citizen, was filling up her visa application and after half an hour of meticulous form filling the system just kick her out. I think the session times out or something. If you haven't created an account or you haven't write down the current application ID everything is lost. In the process she was also directed to a non-.gov website for something during the process, I thought she was getting scammed but no.
It actually makes sense to have a paid service that makes this abomination less painful. Though they work with VFS Global for collecting the applications and relevant documents, the VFS Global itself is an abomination and doesn't help with the handling of the form filling anyway.
Recently EU streamlined the Schengen visa application process for Turkish citizens as those "visa agencies" that are the official agencies and the only way to apply for a visa for many countries don't actually help with anything and are scamming people by selling the "good hours" for the visa appointment on the black market. An agency was dropped for this and the scams by agencies were listed among the reasons to streamline the application process.
Both with US and EU people are losing scholarships etc. due to outrageous wait times that are sometimes are years ahead or there's an issue with the systems handling the applications.
I guess there must be an opportunity there to fix all this together with smaller stuff like handling transliteration and character encodings, I wonder if some of those scam site are not scams and actually help with it. An AI agent can be useful here.
The US executive branch, which implements foreign policy as well as immigration policy, is led by someone who doesn't understand who pays tariffs, managed to go bankrupt running casinos, and thinks that a trade deficit is not a measurement but an actual sum that one can owe. And likes to micromanage on things he has little to no idea about. So who even knows what's going on at USCIS except they got their budget illegally shifted to ICE at one point and now an application for naturalization that used to be bog-standard 6-8 months takes 3-4 years to process. But the US laws that controlled who is allowed in or out and how "status" is conceptualized have pretty much always been a hodgepodge of nonsense ever since the country ditched its open borders policy in 1883 to keep out the Chinese, and a lot of it relies on antiquated language ported over from nativism as expressed in the late 1800s and reinterpreted over and over in different ways administratively, and a lot of the vestiges are quite anti-business - sometimes selectively and racistly so - and the current administration have shown no sign of even comprehending the relationship between immigration, investment, and the economy generally, never mind making the system more sensible. I mean, it is the official policy of the ruling party to budget explicitly to shrink the labor pool at a time of declining birth rates and also, that part of the labor pool happens to be the part that pays taxes but receives next to no discretionary grants of entitlement benefits. So does America want business? It sure doesn't act like it does, and haven't consistently for quite some time.
My wife, a green card holder, applied for citizenship in April and was naturalized yesterday (from an EU country). Not that I don’t believe it could be true but where are you getting the 3-4yr timeline? If that’s accurate she/we may have dodged a massive bullet.
Spouses always get better treatment as there is
a voter who would be mad otherwise. They check for scam marriages but otherwise hurry the process through - if they don't a voter contacts their congressman to push the process. That voter will also likely know a lot of other voters and thus influence the next election while someone not married is unlikely to have that local network to use.
This is patently false for one reason - once someone has a U.S. green card and has met the residency requirement to apply for citizenship, the application form and process are the same for everyone, regardless of how they got their green card (through work, marriage, asylum, investment, etc.).
Once you are eligible to apply, the whole process is basically form N400->biometrics->interview (just doublechecking your name and other paper info, takes 5 minutes)->civics test->ceremony.
However, the timelines and process for getting the green card itself is different depending on the nature of your visa, and they will indeed try to check for scam marriages before you get your green card (if you were applying for it through the marriage visa).
I would love to see data that backs this up. While definitely plausible the pathway she followed to naturalization was based on time in country and not our marriage. I didn’t need to push but I’ve generally found my congressman (who is also almost our neighbor) to be pretty unresponsive on any other issue.
My understanding - which may not be correct - is the length of the process primarily depends on your country of origin and secondarily on how you are eligible. Very interested in any source showing that a relatively normal process has pushed out from months to years.
It's not new. Rabid ideologues on the other side blamed Obama for things that pre-dated his administration, as well. Some people just can't be rational when it comes to politicians they don't like.
Indeed, the real problem is a pervasive attitude that the USA is the best country in the world by far and everyone is clamoring to get in. We don't really care if foreigners come or not, and they'll come anyway, so why bother making the process friendly?
I don't see how blaming the pre-existing website on the current administration makes sense.
Many federal web sites were very quickly altered or replaced by the new administration.
This is common. Work begins on some web sites immediately after the election. For example, when a new president is sworn in, the White House web site flips immediately.
More to the parent poster's point, it has been widely reported in the legitimate media repeatedly that many federal web sites have been replaced or significantly altered by the current administration. There's an entire pseudo-department for it that also makes headlines for its greater transgressions.
Add to that severe and sudden budget and staffing cuts, and like all government functions -- you get what you pay for.
Elon Musk set out hundreds of very young and arrogant programmers to modify code throughout the federal government including to change decades old code used by Treasury, Social Security, etc. While this went on he would tweet idiotic statements like "Dead people are getting social security!" (because he didn't understand the deceased have beneficiaries) and "we're giving social security to people who are 150 years old!" (because he and we presume some subset of his young programmers didn't understand date fields being set to the epoch indicated the date of birth/death had not been recorded).
All this is to say we probably shouldn't assume any current US government website, especially ones that have to do with immigration, hasn't been completely modified by this team.
As I wrote elsewhere; they subcontract the bot protection to F5, an external company that I see for some reason a lot on old/horrible banking websites.
The hard truth of it all is that both the US and (partially) the EU don’t want to make this easier because seeing as wanting “outside” people is now a political liability. You may want to adjust your expectations around that.
Turkish tourist are desired, Turks love spending money on restaurants and activities especially since the prices in Turkey have become more expensive than most of the EU. Greeks even introduced special non-Schengen on-arrival visa valid on the Greek islands especially for the Turks. Besides that, EU has "green passport" exception for the Turkish nationals, where they can travel visa-free on this kind of passport that is provided to individuals that meet certain criteria and millions of such passports were issued.
The rejection rates are also not bad and EU has a "return agreement" with Turkey, which is designed to keep the middle eastern refugees in Turkey(essentially, if you come from Turkey EU can send you back to Turkey right away ).
Crime rates for Turks show up among the lowest ones, unlike others from the region. So I don't think that EU is trying to reduce visas for Turks.
I am EU citizen, I happen to know the Turkish perspective only because spent some years in Turkey and in fact it is the Turkish perspective that that EU doesn't want them and intentionally makes things harder but the moment you look at what's actually going on you see that this is not the case, just a Turkish fantasy about the "evil West and snobby Europeans". Considering that last year 50K Turks applied for asylum in EU and another 100K overstayed their visa, IMHO EU can be considered pretty generous actually with only 15% rejection rate since Turkey is the 2nd country with most applications after China.
Another data point - 5he Indian visa system is similar. The official website ending in .gov.in, which is hard to find, offers a visa for $10 and minimal hassle. The scam websites, with better SEO sell the same shit for $80. They’re just proxying your application to the real website and pocketing the difference.
It would be good if the Indian government could block the scammers but I guess it’s a lower priority for the moment.
Not sure if this is the case for India, but I've experienced similar situations for other countries, but the 'scam websites' actually provided a real service - if you needed some ultra-urgent processing (like you only realized you needed a visa to this country before boarding a flight, once you were already at the airport check-in...) they were able to provide 30 minute approval, whereas the official site's accelerated processing was 24 hours.
So obviously the only way they could to this is with government contacts meaning the government themselves could already do it, but a lot of immigration stuff everywhere is full of people taking kickbacks.
I found the real website, but the application never went through, always some issue. My boss told me which service to use and everything just worked. (I could expense that service so cost didn't bother me)
Just a guess, but maybe a typical bot has a webserver, ssh server, some other servers running on the same machine, whereas a typical Visa applicant doesn't.
Huh, how do you imagine that would work? This "scan" is happening inside client-side javascript, delivering the file through a proxy wouldn't "detect" anything about the proxy.
I imagine it may not be a proxy in the true sense, but a headless browser that's "proxying" the application process rather than the network traffic itself.
it's riddled with scams, and thinking any of this will detect any of the things you mention is very foolish, native and show a total lack of understanding of the scams. of you think using a proxy is essential for visa scam, i would even know where to begin to correct you.
it's one hundred per cent clueless privacy invasion. they are probably also opening ports via other means and using that for side channel ID like Facebook does.
just like any other documentation scam, the only weak point is on the "last mile" that's why you will always have a human interviewer.
the visa process is abusive and unpractical because people will work around any hurdle and their kpi will never be affected no matter how crappy they manage to make to whole process. or how many doge kids implement useless privacy invasion tech just because.
It's coming from a F5 script, which is a company that sells anti-bot protection amid other things. (It's coming from obfuscated script at /TSPD, which is a F5 thing.)
(There is some language online suggesting PNA has not actually shipped, but I experienced it myself in stable Chrome several years ago, so I am unsure of the current state).
Firefox doesn't implement either approach -- I assume this is indicative of their lack of development resources.
I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.
Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.
On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.
How does uMatrix handle the Facebook tracking pixel, or the replacement which is the Conversions API Gateway?
This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.
It doesn't handle it. Anyway, there's no way to know what a website does on the server site. Even a completely static website could be sending the server logs somewhere.
There are options to not load JS, images, XMLHttpRequests, frames, cookies, for each site, but it doesn't list individual files.
> On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network).
It seems like they only make the localhost requests on your first visit. If you open devtools in incognito mode (or just clear the cookies) before accessing https://ceac.state.gov/genniv/ you should see those 127.0.0.1 attempts as ERR_CONNECTION_REFUSED in the network tab.
Somewhat more worryingly, Little Snitch doesn't report them at all, though that might just be because they were already blocked at the browser.
The requests are not made, because some operating systems prevent this.
If you're on OSX, the permission to "discover on the local network" prevents it from happening ( System Settings -> Privacy & Security -> Local Network -> yourbrowser )
Could also be 'network' permissions on firefox ( Go to Settings > Privacy & Security > Permissions ) which is on a per site level, but iirc that could be set site-wide at some point.
The other browsers likely have similar configs, but this is what I have found.
Just a little side note - in this context, it makes sense if the website tries to connect to a local port because you might be running a card reader(ie. terminal). This is how it works with some(all?) EU countries that have a chip in their ID cards, or even vehicle registration cards, which you can use to access sensitive information or perform certain administrative tasks on government websites.
Although, from personal experience, it used to require java and it worked only on internet explorer and since it has been retired and replaced with chromium, i am not sure what is the way to make it work nowadays, as i have not been able to figure out to use it when i needed the last time.
It requires installing a local service that bridges between the browser and the smartcard driver (what Java applets did in earlier years), and that the web app communicates with via requests on localhost. The card-specific driver and bridge service are often bundled together for installation.
I've had it before where it asked me to use an iPhone/Android app which can read the passport's NFC chip. I guess that's the modern replacement for IE/Java.
Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.
The company I work for has a legitimate service that runs on the loopback (it provides our web apps APIs for some device integration) hopefully its just as simple as the user accepting the prompt else we'll be drowning in support.
We had to go the path of the local service because they killed NPAPI. I've been thinking about using web serial as an alternative but Firefox doesn't support it.
That being said, I think this is an overall win, hopefully Firefox implements it in a consistent manner as well.
It would be the job of the operating system to give or take away the ability of your browser to access your local network. But you can run your browser in a container/vm and disable localhost. (And use a separate browser for localhost only if you need it.)
The "port scan" just seems to be a local connection to 127.0.0.1:8888. I don't know what purpose it serves on this page, but our government websites often use this technique to communicate with native software for digitally signing documents.
Could also be incompetence :D until I fixed it, deploying from my local machine rather than CD resulted in one of the baked in URLs being localhost rather than the public host on the project I'm working on now. Their local development server might just be at port 8888. Wouldn't surprise me.
I looked at the website again and noticed that the request paths looked odd, one of them being `/400_random_url_with_numbers_403`. I googled that and it looks like it's part of a client-side bot detection script that's testing something, the explanation isn't very informative.
> These requests are caused by the bot profile to test the different browser capabilities.
> 'http://127.0.0.1:xxxx' request is a call to the localhost/client machine, which is normal when trying to protect assets like end-server using ant-bot defense. It does not have any impact regarding application page load.
That extension has "Access your data for all websites" ... I really don't get how anyone can give that permission to anyone that isn't well known (a company with a lot on the line) or a person famous for their work (the uBO dev) who has stated he will never sell to anyone or do bad things.
"Hacks and Hops" doesn't even have a valid home page. The extension links to https://g666gle.me/ which does not exist. The domain name itself does not want to make me give access to all my data for all websites to them.
As nice as this extension seems, I would ever in a million years install it.
Yes. Facebook was using this trick on Android. Meta's android apps would host a server on localhost, and their sites would communicate with this local server to pass tracking information that would otherwise be blocked by all browser protection methods on Android. I guess it is still fingerprinting, but at the most extreme end.
It seems to be part of some "bot defense" product by these F5 people, to "test the different browser capabilities". I doubt it's intended to hit a real endpoint on any system.
Mostly it's great for tracking although I'm sure it could also be used to exfiltrate data (e.g. if the user is running something sensitive on localhost).
As far as I understand it, it is supposed to be a scan done by the browser on the user's computer, not an external scan, which a browser extension wouldn't be able to detect.
I see. So the website would try to access private IP adresses (RFC 1918) by having elements like <iframe src="http://10.0.0.1"> in the web site and then the web site would check if the iframe was loaded successfully?
Judging just from the screenshots, it seems it blocks websites from accessing 127.0.0.1 get requests. Not a port scan to the outside, more of what do you have running on the local machine inside your network.
If would be interesting to see what happens on OpenBSD. With pledge(2) and unveil(2) in Firefox, I wonder what it would see. I expect it would see nothing.
I will give it a try and see what happens and if I see anything I will add it here.
Capturing forensic artifacts of the local network allows a building a bridge strategy for identifying fraudulent networks without requiring knowledge of the path taken from destination to recipient. Other local devices do this and send the network map during a phone home, allowing comparison to a source of truth that is tied almost directly to the person, or group of people.
There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.
You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).
The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.
It looks useful and looks good, there's minimal unneeded whitespace and I'm glad it looks as it does. We'd be better off if the entire web switched to a style like this.
"Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled."
Never knew that this existed. Thank you!
Checking out the initial request on github for this feature I wonder why is this necessary? What access does to the local network does the browser provide, or need to provide, and why isn't this something developers are more concerned about? I had a feeling this was possible as I see lots of mdns requests when I connect to certain things running sockets.
https://github.com/uBlockOrigin/uAssets/issues/4318
Is that available in lite version too? Now that the origin js being phased out
It’s only being phased out on Chrome, by Google.
Yes, to make us safer, now you enable developer mode and disable signature checking to install it locally, thanks Google
You can't change browser? Or is there something bigger happening?
Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name. So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels.
That would be quite clever for an incredibly horrible website. The other day my SO, who is a Turkish citizen, was filling up her visa application and after half an hour of meticulous form filling the system just kick her out. I think the session times out or something. If you haven't created an account or you haven't write down the current application ID everything is lost. In the process she was also directed to a non-.gov website for something during the process, I thought she was getting scammed but no.
It actually makes sense to have a paid service that makes this abomination less painful. Though they work with VFS Global for collecting the applications and relevant documents, the VFS Global itself is an abomination and doesn't help with the handling of the form filling anyway.
Recently EU streamlined the Schengen visa application process for Turkish citizens as those "visa agencies" that are the official agencies and the only way to apply for a visa for many countries don't actually help with anything and are scamming people by selling the "good hours" for the visa appointment on the black market. An agency was dropped for this and the scams by agencies were listed among the reasons to streamline the application process.
Both with US and EU people are losing scholarships etc. due to outrageous wait times that are sometimes are years ahead or there's an issue with the systems handling the applications.
I guess there must be an opportunity there to fix all this together with smaller stuff like handling transliteration and character encodings, I wonder if some of those scam site are not scams and actually help with it. An AI agent can be useful here.
You might be making the assumption that the US wants to make the process easier.
I'd invoke Hanlon's razor, but in this case, it's certainly both malice and stupidity...
That would be an abysmally poor assumption currently.
You use the same system for Business visas. Hard to imagine US wouldn’t want those as easy as possible.
The US executive branch, which implements foreign policy as well as immigration policy, is led by someone who doesn't understand who pays tariffs, managed to go bankrupt running casinos, and thinks that a trade deficit is not a measurement but an actual sum that one can owe. And likes to micromanage on things he has little to no idea about. So who even knows what's going on at USCIS except they got their budget illegally shifted to ICE at one point and now an application for naturalization that used to be bog-standard 6-8 months takes 3-4 years to process. But the US laws that controlled who is allowed in or out and how "status" is conceptualized have pretty much always been a hodgepodge of nonsense ever since the country ditched its open borders policy in 1883 to keep out the Chinese, and a lot of it relies on antiquated language ported over from nativism as expressed in the late 1800s and reinterpreted over and over in different ways administratively, and a lot of the vestiges are quite anti-business - sometimes selectively and racistly so - and the current administration have shown no sign of even comprehending the relationship between immigration, investment, and the economy generally, never mind making the system more sensible. I mean, it is the official policy of the ruling party to budget explicitly to shrink the labor pool at a time of declining birth rates and also, that part of the labor pool happens to be the part that pays taxes but receives next to no discretionary grants of entitlement benefits. So does America want business? It sure doesn't act like it does, and haven't consistently for quite some time.
My wife, a green card holder, applied for citizenship in April and was naturalized yesterday (from an EU country). Not that I don’t believe it could be true but where are you getting the 3-4yr timeline? If that’s accurate she/we may have dodged a massive bullet.
Spouses always get better treatment as there is a voter who would be mad otherwise. They check for scam marriages but otherwise hurry the process through - if they don't a voter contacts their congressman to push the process. That voter will also likely know a lot of other voters and thus influence the next election while someone not married is unlikely to have that local network to use.
This is patently false for one reason - once someone has a U.S. green card and has met the residency requirement to apply for citizenship, the application form and process are the same for everyone, regardless of how they got their green card (through work, marriage, asylum, investment, etc.).
Once you are eligible to apply, the whole process is basically form N400->biometrics->interview (just doublechecking your name and other paper info, takes 5 minutes)->civics test->ceremony.
However, the timelines and process for getting the green card itself is different depending on the nature of your visa, and they will indeed try to check for scam marriages before you get your green card (if you were applying for it through the marriage visa).
I would love to see data that backs this up. While definitely plausible the pathway she followed to naturalization was based on time in country and not our marriage. I didn’t need to push but I’ve generally found my congressman (who is also almost our neighbor) to be pretty unresponsive on any other issue.
My understanding - which may not be correct - is the length of the process primarily depends on your country of origin and secondarily on how you are eligible. Very interested in any source showing that a relatively normal process has pushed out from months to years.
I don't see how blaming the pre-existing website on the current administration makes sense.
It's not new. Rabid ideologues on the other side blamed Obama for things that pre-dated his administration, as well. Some people just can't be rational when it comes to politicians they don't like.
Indeed, the real problem is a pervasive attitude that the USA is the best country in the world by far and everyone is clamoring to get in. We don't really care if foreigners come or not, and they'll come anyway, so why bother making the process friendly?
I don't see how blaming the pre-existing website on the current administration makes sense.
Many federal web sites were very quickly altered or replaced by the new administration.
This is common. Work begins on some web sites immediately after the election. For example, when a new president is sworn in, the White House web site flips immediately.
More to the parent poster's point, it has been widely reported in the legitimate media repeatedly that many federal web sites have been replaced or significantly altered by the current administration. There's an entire pseudo-department for it that also makes headlines for its greater transgressions.
Add to that severe and sudden budget and staffing cuts, and like all government functions -- you get what you pay for.
So you claim the visa website was also changed by this administration?
Elon Musk set out hundreds of very young and arrogant programmers to modify code throughout the federal government including to change decades old code used by Treasury, Social Security, etc. While this went on he would tweet idiotic statements like "Dead people are getting social security!" (because he didn't understand the deceased have beneficiaries) and "we're giving social security to people who are 150 years old!" (because he and we presume some subset of his young programmers didn't understand date fields being set to the epoch indicated the date of birth/death had not been recorded).
All this is to say we probably shouldn't assume any current US government website, especially ones that have to do with immigration, hasn't been completely modified by this team.
You don't have a good enough imagination for how stupid our current leadership really is.
As a US citizen, I feel it’s opposite. Hard to imagine they’d want anything related to visas to be easy.
Hard to imagine that the US wouldn't be as paranoid, self-sabotaging, and bureaucratically inept as possible? </sarcasm>
As I wrote elsewhere; they subcontract the bot protection to F5, an external company that I see for some reason a lot on old/horrible banking websites.
F5 is huge in enterprise and academia for firewall/VPN/load-balancer services
The hard truth of it all is that both the US and (partially) the EU don’t want to make this easier because seeing as wanting “outside” people is now a political liability. You may want to adjust your expectations around that.
Turkish tourist are desired, Turks love spending money on restaurants and activities especially since the prices in Turkey have become more expensive than most of the EU. Greeks even introduced special non-Schengen on-arrival visa valid on the Greek islands especially for the Turks. Besides that, EU has "green passport" exception for the Turkish nationals, where they can travel visa-free on this kind of passport that is provided to individuals that meet certain criteria and millions of such passports were issued.
The rejection rates are also not bad and EU has a "return agreement" with Turkey, which is designed to keep the middle eastern refugees in Turkey(essentially, if you come from Turkey EU can send you back to Turkey right away ).
Crime rates for Turks show up among the lowest ones, unlike others from the region. So I don't think that EU is trying to reduce visas for Turks.
You are looking at it from Turkish perspective unfortunately.
I am EU citizen, I happen to know the Turkish perspective only because spent some years in Turkey and in fact it is the Turkish perspective that that EU doesn't want them and intentionally makes things harder but the moment you look at what's actually going on you see that this is not the case, just a Turkish fantasy about the "evil West and snobby Europeans". Considering that last year 50K Turks applied for asylum in EU and another 100K overstayed their visa, IMHO EU can be considered pretty generous actually with only 15% rejection rate since Turkey is the 2nd country with most applications after China.
https://home-affairs.ec.europa.eu/news/visa-applications-rea...
https://ec.europa.eu/eurostat/statistics-explained/index.php...
B-visa rejection rate for Turkey in FY24, as per the US State Department, was 19.78%, btw. https://travel.state.gov/content/dam/visas/Statistics/Non-Im...
The US gov’t has been actively targeting CANADA, one of the countries historically closest trading partners and allies.
Maybe in the EU it’s all good, but expect a lot of turbulence in the US.
That doesn't explain the same poor operational quality before it became a liability
Another data point - 5he Indian visa system is similar. The official website ending in .gov.in, which is hard to find, offers a visa for $10 and minimal hassle. The scam websites, with better SEO sell the same shit for $80. They’re just proxying your application to the real website and pocketing the difference.
It would be good if the Indian government could block the scammers but I guess it’s a lower priority for the moment.
The scam websites are probably owned by someone who works in the Indian govt.
Almost certainly, entire industries have been given over to indian scammers and their government allies.
Modhi, for one
Not sure if this is the case for India, but I've experienced similar situations for other countries, but the 'scam websites' actually provided a real service - if you needed some ultra-urgent processing (like you only realized you needed a visa to this country before boarding a flight, once you were already at the airport check-in...) they were able to provide 30 minute approval, whereas the official site's accelerated processing was 24 hours.
So obviously the only way they could to this is with government contacts meaning the government themselves could already do it, but a lot of immigration stuff everywhere is full of people taking kickbacks.
I found the real website, but the application never went through, always some issue. My boss told me which service to use and everything just worked. (I could expense that service so cost didn't bother me)
I'm not too familiar with network side stuff. What would a port scan be able to detect that would indicate that you're a scammer?
Just a guess, but maybe a typical bot has a webserver, ssh server, some other servers running on the same machine, whereas a typical Visa applicant doesn't.
This is a very clever answer.
Huh, how do you imagine that would work? This "scan" is happening inside client-side javascript, delivering the file through a proxy wouldn't "detect" anything about the proxy.
I imagine it may not be a proxy in the true sense, but a headless browser that's "proxying" the application process rather than the network traffic itself.
Proxy is being used in the traditional sense here. It’s common for a business (scam or legit) to handle visa applications on behalf of customers.
it's riddled with scams, and thinking any of this will detect any of the things you mention is very foolish, native and show a total lack of understanding of the scams. of you think using a proxy is essential for visa scam, i would even know where to begin to correct you.
it's one hundred per cent clueless privacy invasion. they are probably also opening ports via other means and using that for side channel ID like Facebook does.
just like any other documentation scam, the only weak point is on the "last mile" that's why you will always have a human interviewer.
the visa process is abusive and unpractical because people will work around any hurdle and their kpi will never be affected no matter how crappy they manage to make to whole process. or how many doge kids implement useless privacy invasion tech just because.
If the proxy scams are just a little clever, they'll run the proxy on an another IP.
It's coming from a F5 script, which is a company that sells anti-bot protection amid other things. (It's coming from obfuscated script at /TSPD, which is a F5 thing.)
https://www.f5.com/
TS seems to be short for TrafficShield (a product of some company F5 acquired in early 2000s) and PD seems to be Proactive Defense (?)
How and why do browsers allow this? Why wouldn't the browser ask for permission in the same way that it does for Microphone access?
It's insane to allow any random website to port scan my LAN. If this wasn't a "feature", I would have considered this a high severity vulnerability
Chrome doesn't allow it - local network services have to opt-in to being fetchable from public sites (https://github.com/WICG/private-network-access), although they're replacing it with a user-permission-based approach (https://github.com/WICG/local-network-access).
(There is some language online suggesting PNA has not actually shipped, but I experienced it myself in stable Chrome several years ago, so I am unsure of the current state).
Firefox doesn't implement either approach -- I assume this is indicative of their lack of development resources.
I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.
Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.
On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.
How does uMatrix handle the Facebook tracking pixel, or the replacement which is the Conversions API Gateway?
This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.
It doesn't handle it. Anyway, there's no way to know what a website does on the server site. Even a completely static website could be sending the server logs somewhere.
There are options to not load JS, images, XMLHttpRequests, frames, cookies, for each site, but it doesn't list individual files.
Then why use it? They're number one.
uMatrix is archived and I think uBlockOrigin is now advised to use(which incorporate uMatrix by enabling advanced settings)
For those who want to try blocking more stuff you can enable hard mode and bind relax blocking mode keyboard shortcut
I'd recommend also enabling filter lists(I advice yokoffing/filterlists and your region/language)
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...
But uBlockOrigin UI is so much worse...
Besides, uMatrix works fine. It's that kind of program that doesn't need any updates.
Until uBO has an even remotely usable interface for this use case people (including myself) will continue to use uMaxtrix or forks of it instead.
I reluctantly switched to only uBo because of uM bugs. But the UI/UX is just a huge step backwards to enable mobile usability.
uBO advanced settings still isn't as flexible as uMatrix was though, fwiw. (I did give in and switch in the end though.)
With uBO I can't block cookies by domain.
It seems to try to check if you are using the Burp Suite on their web application.
> On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network).
That will be this burp: https://portswigger.net/burp/documentation/desktop/tools/pro...
Sounds like they don't want you to analyze their site.
How does it manage to hide the requests to 127.0.0.1 from the network tab?
I have no ideea. Possibly that's a limitation of Chrome+Firefox developer tools (I get the feeling it's the same code)?
But I found what "burp" is: https://portswigger.net/burp/communitydownload
It seems like they only make the localhost requests on your first visit. If you open devtools in incognito mode (or just clear the cookies) before accessing https://ceac.state.gov/genniv/ you should see those 127.0.0.1 attempts as ERR_CONNECTION_REFUSED in the network tab.
Somewhat more worryingly, Little Snitch doesn't report them at all, though that might just be because they were already blocked at the browser.
This is what I see.
https://i.imgur.com/lvjg2YQ.png
> 400_random_url_with_numbers_403
That looks so much like test code that was shipped to prod.
Searches for that string on GH does return results.
The requests are not made, because some operating systems prevent this.
If you're on OSX, the permission to "discover on the local network" prevents it from happening ( System Settings -> Privacy & Security -> Local Network -> yourbrowser )
Could also be 'network' permissions on firefox ( Go to Settings > Privacy & Security > Permissions ) which is on a per site level, but iirc that could be set site-wide at some point.
The other browsers likely have similar configs, but this is what I have found.
Whitelisting seems to be the way to go. With IPv6 and OS generated IPs (up to what the ISP domestic router allows) could be very efficient.
Just a little side note - in this context, it makes sense if the website tries to connect to a local port because you might be running a card reader(ie. terminal). This is how it works with some(all?) EU countries that have a chip in their ID cards, or even vehicle registration cards, which you can use to access sensitive information or perform certain administrative tasks on government websites.
Although, from personal experience, it used to require java and it worked only on internet explorer and since it has been retired and replaced with chromium, i am not sure what is the way to make it work nowadays, as i have not been able to figure out to use it when i needed the last time.
It requires installing a local service that bridges between the browser and the smartcard driver (what Java applets did in earlier years), and that the web app communicates with via requests on localhost. The card-specific driver and bridge service are often bundled together for installation.
I've had it before where it asked me to use an iPhone/Android app which can read the passport's NFC chip. I guess that's the modern replacement for IE/Java.
Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.
my bank did this on the site they sent me to in order to activate my new card.
Madness! How do I harden my network against that?
Chrome is already in the process of killing it https://developer.chrome.com/blog/local-network-access
The company I work for has a legitimate service that runs on the loopback (it provides our web apps APIs for some device integration) hopefully its just as simple as the user accepting the prompt else we'll be drowning in support. We had to go the path of the local service because they killed NPAPI. I've been thinking about using web serial as an alternative but Firefox doesn't support it.
That being said, I think this is an overall win, hopefully Firefox implements it in a consistent manner as well.
Enable "Block Outsider Intrusion into LAN" filter list in uBlock Origin.
Thank you!
You should actually harden your browser or PC... to block any unwanted requests. Apparently some browser extensions can do that.
It would be the job of the operating system to give or take away the ability of your browser to access your local network. But you can run your browser in a container/vm and disable localhost. (And use a separate browser for localhost only if you need it.)
The "port scan" just seems to be a local connection to 127.0.0.1:8888. I don't know what purpose it serves on this page, but our government websites often use this technique to communicate with native software for digitally signing documents.
Are you seeing connection attempts to other IPs?
Might also be card readers, debug servers, etc.
Could also be incompetence :D until I fixed it, deploying from my local machine rather than CD resulted in one of the baked in URLs being localhost rather than the public host on the project I'm working on now. Their local development server might just be at port 8888. Wouldn't surprise me.
I looked at the website again and noticed that the request paths looked odd, one of them being `/400_random_url_with_numbers_403`. I googled that and it looks like it's part of a client-side bot detection script that's testing something, the explanation isn't very informative.
https://my.f5.com/manage/s/article/K000138794
> These requests are caused by the bot profile to test the different browser capabilities.
> 'http://127.0.0.1:xxxx' request is a call to the localhost/client machine, which is normal when trying to protect assets like end-server using ant-bot defense. It does not have any impact regarding application page load.
This is most likely an attempt to connect to a webserver on your own device to collect data and/or do tracking.
Remember back in June when Facebook/meta got caught tracking users trough a webserver on Android phone thought Messenger and Instagram? Same thing.
See: https://news.ycombinator.com/item?id=44169115 and https://news.ycombinator.com/item?id=44175940
How are you so sure?
That extension has "Access your data for all websites" ... I really don't get how anyone can give that permission to anyone that isn't well known (a company with a lot on the line) or a person famous for their work (the uBO dev) who has stated he will never sell to anyone or do bad things.
"Hacks and Hops" doesn't even have a valid home page. The extension links to https://g666gle.me/ which does not exist. The domain name itself does not want to make me give access to all my data for all websites to them.
As nice as this extension seems, I would ever in a million years install it.
Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?
Yes. Facebook was using this trick on Android. Meta's android apps would host a server on localhost, and their sites would communicate with this local server to pass tracking information that would otherwise be blocked by all browser protection methods on Android. I guess it is still fingerprinting, but at the most extreme end.
https://news.ycombinator.com/item?id=44169115
Routers with vulnerable URLs. You can search for: "router" "authentication bypass".
Isn't CORS supposed to prevent this?
CORS can trigger preflight requests, which can be enough to exploit vulnerabilities in routers and other local devices.
https://files.catbox.moe/g1bejn.png
When I visit the site from Safari on macOS I see this in the console. Are there any particular services that use port 8888 for the website to do this?
https://my.f5.com/manage/s/article/K000138794
It seems to be part of some "bot defense" product by these F5 people, to "test the different browser capabilities". I doubt it's intended to hit a real endpoint on any system.
Mostly it's great for tracking although I'm sure it could also be used to exfiltrate data (e.g. if the user is running something sensitive on localhost).
https://www.digitalsamba.com/blog/metas-localhost-spyware-ho...
Checking if you are sharing torrents, run a tor node, mine coins?
> Blocks malicious websites from port-scanning your computer/network
How does that work? A browser extension can't influence how your router and other machines in your network react to incoming requests.
As far as I understand it, it is supposed to be a scan done by the browser on the user's computer, not an external scan, which a browser extension wouldn't be able to detect.
Hopefully should soon be a thing of the past with https://developer.chrome.com/blog/local-network-access
I see. So the website would try to access private IP adresses (RFC 1918) by having elements like <iframe src="http://10.0.0.1"> in the web site and then the web site would check if the iframe was loaded successfully?
It could also just try making the request with javascript. Or try a websocket connection.
Judging just from the screenshots, it seems it blocks websites from accessing 127.0.0.1 get requests. Not a port scan to the outside, more of what do you have running on the local machine inside your network.
but it can hook javascript methods before that scan can happen.
Very interesting. Having looked at NoScript it seems like you can disable LAN as a default value under the allow tab.
Looking further
* uBlock Origin and Lite have it as an option under Filter List > Privacy > Block Outsider Intrusion into LAN
* Brave prevents it, tested with Aggressively block Trackers and Ads.
Why do you need a heavyweight extension to block sites from scanning your local network? Ridiculous.
Also I wonder if this protection is available only with old extension manifest version or new network request hooks API also supports it.
Perhaps to avoid people using misconfigured open proxies https://en.wikipedia.org/wiki/Open_proxy
Like a less sophisticated Tor/VPN that is easily detected by port scans
For another example, studentaid.gov doesn’t work in private browsing.
If would be interesting to see what happens on OpenBSD. With pledge(2) and unveil(2) in Firefox, I wonder what it would see. I expect it would see nothing.
I will give it a try and see what happens and if I see anything I will add it here.
Capturing forensic artifacts of the local network allows a building a bridge strategy for identifying fraudulent networks without requiring knowledge of the path taken from destination to recipient. Other local devices do this and send the network map during a phone home, allowing comparison to a source of truth that is tied almost directly to the person, or group of people.
There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.
You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).
The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.
this is awesome
is it true visa and paypal are able to mkae you unable to buy games on steam?
My biggest grief with that site is that it's like something from the 90s.
Yeah it should have a fixed header and footer along with a pop-up consent drawer so you can only see 10% of the actual site content.
So much better.
Modern web design is a joke.
>like something from the 90s
It looks useful and looks good, there's minimal unneeded whitespace and I'm glad it looks as it does. We'd be better off if the entire web switched to a style like this.
The 1990s web was actually good
As something from the 90s myself, I find this rude.
It's also inaccurate, as this style of page (relating to layout and specific graphic style) didn't appear until 2006ish.
I think you are confusing something from the 90 with something from the gov
These guys need to look at Gov.uk, this site is a total horror show.
I wish gov.uk was even a smidgen as "outdated" looking as that page.
Be careful your security tool isn't producing false positives.
I remember years back when people would run these firewalls and we'd get complaints from home users about normal traffic.
Thinks like complaints our mail servers was scanning them on port 25 when they sent email.