Podcasts
Word Notes
Ep 108
Word Notes 7.19.22
Ep 108 | 7.19.22

Private Network Access (PNA) (noun)

Show Notes
Transcript

Rick Howard: The word is: PNA. 


Rick Howard: Spelled: P for private, N for network, and A for access 


Rick Howard: Definition: a browser configuration control that prevents accessing resources within a private network. 


Rick Howard: Example sentence: Chrome is deprecating access to private network endpoints from non-secure websites as part of the Private Network Access specification.  


Rick Howard: Origin and context: Google rolled out the cross-origin resource sharing protocol, or CORS, to its Chrome browser early in 2022. According to Titouan Rigoudy at Google, the CORS goal is 'to protect users from cross-site request forgery attacks, or CSRF attacks, targeting routers and other devices on private networks." In other words, with this control turned on, any attacker that has taken control of a browser page will not be able to connect to any local network resources that don't already connect to the public internet.  


Rick Howard: Software developers, Ryan Sleevi, Titouan Rigoudy, and Frédéric Wang explained on a GitHub page, "this specification only affects requests from a public IP address to a private IP address or local host, and requests from a private IP address to local host. This may change to cover all cross origin requests to the private network in the future."  

Rick Howard: Simon Kölsch at innoQ notes that websites and applications may need to adjust this change to continue functioning properly. "It might not affect you at all if the user facing part of your application is hosted on servers within a public IP range. If however your application is included in an iframe and access through your local internet, like your VPN, you might run into problems with Chrome."  


Rick Howard: Nerd reference: On the IT Pro TV show in January, 2022, Daniel Lowrie talked about the significance of the Google CORS initiative.  


Daniel Lowrie: What they're trying to implement is a new protocol to stop malware from reaching inside of your own home personal network and accessing resources there. That's what this is all about. 


Daniel Lowrie: So it is a security bump, like so that they don't go, oh, well, how about that? There's a nice router at 192168.0.1, maybe it has a vulnerability that I can exploit and start to have some sort of conversation with it.  


Daniel Lowrie: So from now on what it'll do with this new protocol is it will say if I receive a request for an internal resource, it must first pass the test that we allow that type of thing. If it doesn't, which by default, nothing will, then it won't allow access into those resources.  


Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform. KnowBe4 helps organizations address the human element of security by raising awareness of social engineering tactics through a new-school approach to security awareness training. Learn more at KnowBe4.