Security Concern: Beacon/Ping? Not sure, not enough coffee


#1

Just ran Wireshark with Brave again and it is worse than the last time I ran it. In the 20k+ lines of pcap data, I found many which pinged every device on the network:

913 22.802650499 <LOCAL_IP_ADDRESS> 224.0.0.251 MDNS 259 Standard query response 0x0000 PTR, cache flush **####-**iPad.local PTR, cache flush **####-**iPad.local NSEC, cache flush 2.F.7.2.E.A.4.C.1.3.4.F.6.B.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa NSEC, cache flush <LOCAL_IP_ADDRESS>.in-addr.arpa OPT

Is this a security concern? I’m going to close this browser and re-run with Firefox to see what if it pings all local connections and will post results after. Thank you in advance.

NOTE: I replaced the info in bold with generic info.

EDIT:

Firefox did not report any of the connected devices on my local network. Can I turn this off in Brave? I don’t see a GUI way to do it.


#2

cc @yan @jumde on this.


#3

Is this a feature we can disable? I have no desire for Brave, or any other browser, to browser my local network.

Thanks!


#4

This is a serious security concern; do the devs read and answer forum posts? Or, has anybody else verified this? Or, is there a way to disable this?

Thank you in advance.


#5

This is Multicast-DNS. It’s how devices on your network talk to each other. mDNS is usually provided by the avahi service on Linux. This has nothing to do with Brave (unless you try to visit a .local address.) Devices will periodically broadcast their mDNS names and IP addresses to the other machines on the same network.


#6

Why, then, does Firefox not do it? Nor Palemoon or Waterfox. Chromium definitely does it, as does Brave.

Edit: One is able turn this crap off in Firefox, so, I was hoping one could turn it off in Brave, as well.


#7

Aha, that may be a good hint. There’s still the question why Brave & Chromium would cause this.
I don’t think it’s a security concern in the first place but of course, knowing all devices in a certain network could well be used for fingerprinting. So if that’s something buried in the Chromium back-end, I see some reasons for Brave to hunt it down and remove it or at least turn it off by default and provide a switch to turn it back on. I can’t see another reason, a browser should totally not need to know other devices on a network that it will never contact. (A local web server would be the lone exception, but this should be handled differently anyway.)

Hmm, none of the methods mentioned there seem to apply to this, not even “Network detection”. @sd992, have you managed to switch this behavior on with firefox? Because, according to your report, it seems to be off by default or at least off in your configuration.


#8

Huh, not sure why Firefox doesn’t do it. I posted my user.js in another thread, maybe it’s another change.

Anybody with wireshark and a few browsers can take a look at what connections are made and when. I had posted awhile back about Brave’s DNS calls outside my DNS settings. That’s totally not cool. That information was found through wireshark, as well:

23 5.339104702 192.168.0.xxx 1 66.70.211.246 DNS 76 Standard query 0xb8d6 A s3.amazonaws.com
…
1582 38.712626391 192.168.0.xxx 1 66.70.211.246 DNS 101 Standard query 0xb2d8 A voidlinuxforum.s3-eu-west-1.amazonaws.com

Here’s Firefox’s results for the same page:

44 9.884552868 66.70.211.246 192.168.0.xxx 1 DNS 132 Standard query response 0x9c19 ns0.opennic.glue
…
141 16.890797458 66.70.211.246 192.168.0.xxx 1 DNS 281 Standard query response 0x3ef5 A voidlinux.euA 148.251.199.115 NS c.dns.gandi.net NS a.dns.gandi.net NS b.dns.gandi.net A 173.246.98.1 AAAA 2604:3400:abca::1 A 213.167.229.1 AAAA 2001:4b98:abcb::1 A 217.70.179.1 AAAA 2604:3400:abcc::1

I’ll try to take a snapshot of the actual Brave vs. Firefox results and post them, that might help the developers see the problem.


#9

You do realize that your browser, operating system, and router all individually cache DNS responses? Did you purge those caches before attempting to compare them?

If you mean to say that there is something wrong, then you need to include a lot more information. You’re not saying what you’re doing or what you expect to happen. You’re really just rambling nonsensically into the void here.


#10

Yes, I purged my DNS cache.

What information do you need? I opened up the browser, typed in an address and noticed DNS queries outside my system and router DNS settings. Shouldn’t all DNS queries respect those settings?

Without telling me WHAT information is required, it’s hard to supply what you think you need. Let me know, and I"ll see what I can provide.

As for the original problem: Why does Brave search my whole local network where Firefox does not? I thought that was very clear from my first post. Chromium also follows the same behavior. I actually had to install Chromium to verify this.

I don’t have the avahi-daemon running. The command:

ps aux | grep avahi

produces no results. I usually have as little as possible running and checking my installed packages, I don’t even have avahi installed.