undefined | Better HN

0 pointspedasmith9y ago0 comments

Hey! I didn't implement the loopback restriction in WinRT, but I sure was one of the PMs in the network team when it happened.

As it turns out, pretty much everyone on the thread is right. Localhost is special on a network: it's the only machine that that you're guaranteed actually exists, and is therefore qualified as a high-value target for the bad guys.

I hadn't heard about the printer creating a local HTTP server, but it sure doesn't surprise me one bit.

At the same time, we could identify companies with real products that we wanted in the WinRT ecosystem but where the company already had an architecture that assumed that they could connect to localhost. It was a very painful call, but in the end we decided that security was more important than these companies.

We decided against a checkbox because users already have too many checkboxes, and mostly don't understand any of them.

If knowing the current local IP address gives you access to localhost, that would be a bug. More likely, you see that it works because you're running in a debugger, where the access to localhost is restriction isn't currently enforced.

And for goodness sakes everyone -- stop restricting yourself to IPv4! IPv6 is a real and growing thing! We made a bunch of fixes in Windows just so that the WinRT network APIs would work perfectly without ever knowing or caring whether you were going over IPv4 or IPv6.

0 comments

WayneBro9y ago

> We decided against a checkbox because users already have too many checkboxes, and mostly don't understand any of them.

How did you decide that it was too many? Also, if users don't understand any of them, what's the big deal about one more checkbox?

This was a bad decision IMO and it's the kind of thing that is causing nobody to use UWP. There are so many stories out there of people trying to use UWP for their project and then turning back when they realize how restricted the sandbox is.

Honestly, doesn't it seem a bit absurd that UWP apps can talk to anything else on my network except for Win32 processes on my own computer?

If Windows Phone were a thing, I'd probably be building UWP apps already. Mobile devices are the only place where I accept these types of restrictions, but it's mostly because I have no choice. If Microsoft comes out with a phone that can run Win32 apps, I'd switch to that in a heartbeat because then I could get full Chrome with extensions and I'd be able to do things like run uBlock, quick javascript switcher and all my other favorite extensions. (Yay freedom!)

rasz_pl9y ago

How about approaching this from the other end - reengineer windows filtering to allow control of localhost traffic.

pedasmithOP9y ago

Because how would an ordinary person every make the right choice? How would any kind of anti-virus every tell the difference between a "good" program that's connecting to an embedded web server in an appropriate way, and a "bad" one that's intended to take over the system?

Most other checkbox security choices at least can be explained. A word processor probably doesn't have any legitimate reason to use Bluetooth (for example), and therefore a customer has a chance of making a reasonable choice.

But for localhost access -- my word, there's no rhyme or reason for it. As a simple example, I worked on a statistical package back in the 90's (yay RS/1!) that was implemented as two programs on Windows. One was the GUI client and the other the statistical server. There's nothing about "statistics" that obviously screams, "must have localhost permissions" :-)

rasz_pl9y ago

Because you currently ship systems with firewall that is unable to filter outbound traffic per application. DnsCache bypasses filtering by effectively providing tunnel between localhost and external network interface. Maybe you know of a way to selectively limit access to DnsCache per application? effectively whitelist a couple and block the rest?

Ordinary person argument is flawed. So called ordinary person doesnt even know what a network card is.

j / k navigate · click thread line to collapse

0 pointspedasmith9y ago0 comments

Hey! I didn't implement the loopback restriction in WinRT, but I sure was one of the PMs in the network team when it happened.

I hadn't heard about the printer creating a local HTTP server, but it sure doesn't surprise me one bit.

We decided against a checkbox because users already have too many checkboxes, and mostly don't understand any of them.

0 comments

WayneBro9y ago

> We decided against a checkbox because users already have too many checkboxes, and mostly don't understand any of them.

How did you decide that it was too many? Also, if users don't understand any of them, what's the big deal about one more checkbox?

Honestly, doesn't it seem a bit absurd that UWP apps can talk to anything else on my network except for Win32 processes on my own computer?

rasz_pl9y ago

How about approaching this from the other end - reengineer windows filtering to allow control of localhost traffic.

pedasmithOP9y ago

rasz_pl9y ago

Ordinary person argument is flawed. So called ordinary person doesnt even know what a network card is.

j / k navigate · click thread line to collapse