Google is always working on ways to make Chrome more secure. Starting in Chrome 98, the company will make it much harder to attack network devices such as your router or printer thanks to a new security measure called Private Network Access.
As first reported by Ars Technica, Chrome 98 will intercept requests when public websites want to access endpoints inside a user’s private network (such as your router, printer, NAS, smart home gadgets, and more) and then log the attempt. In later versions of Chrome, possibly as soon as Chrome 101, the browser will actually block these requests until you grant permission.
In its rollout plan, Google says, “Private Network Access (formerly known as CORS-RFC1918) restricts the ability of websites to send requests to servers on private networks.”
Routers are often attacked, especially by worms, and taken over by botnets that use them for DDoS attacks. But did you know that websites have used web browsers to attack routers, too? Now, Google is going to stop websites from ever using Chrome to perform an attack of this sort again.
On the large scale, this could keep major services like AWS from going down and on the smaller scale, it could prevent end-users from having their connections overloaded through DDoS attacks.
In 2014, hackers used a cross-site request forgery to change the DNS server settings for more than 300,000 wireless routers, which was only able to occur because of the open nature of browsers. If this change to Chrome had been active, this attack wouldn’t have occurred.
There isn’t a set launch date because Google needs to use the trial period to make sure significant parts of the Internet aren’t broken by this change. Assuming nothing significant breaks, this will create an extra layer of security in Chrome that could prevent an entire class of web attacks.
What’ll happen with Chrome 98 is that Chrome will send preflight requests ahead of private network subresource requests (websites requesting access to devices on your private network). Any failures display warnings in DevTools, without otherwise affecting the requests. Chrome will gather data and reach out to the largest affected websites to let them know.
With Chrome 101 (if everything goes well during testing), preflight requests must succeed. Otherwise, the requests will fail.
For most Chrome users, not much should change in their day-to-day web browsing. However, there will be a more secure experience when the update eventually goes live and there may be some additional prompts to allow or deny.
If you want all of the technical details about what will happen and how it works, you can read Google’s Private Network Access post. It gets into all the technical stuff, but most people will be happy to know that the browser will cut off a specific type of attack before it starts, and that’s a good thing.