"WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Discussions about the Application Boundaries Enforcer (ABE) module
phyzome
Posts: 6
Joined: Wed Aug 12, 2009 6:52 pm

"WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by phyzome » Thu Nov 24, 2016 3:52 pm

When the ABE checkbox "WAN IP ∈ LOCAL" is enabled, I periodically get an HTTP Authentication popup from Firefox asking for my router password. Now, I've read a previous post about why this happens and that I should just ignore it, and in fact originally used Wireshark to discover that the user-agent string of the request contains a URL leading to https://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/ with an explanation.

I kind of get why it's necessary. It seems like a reasonable thing to have enabled. But surely there's a way for NoScript to do this task without a popup?
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by barbaz » Thu Nov 24, 2016 3:56 pm

What NoScript version?
If some 2.9.5 version, do you get the popup with NoScript 2.9.0.14?

Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a
*Always* check the changelogs BEFORE updating that important software!
-

phyzome
Posts: 6
Joined: Wed Aug 12, 2009 6:52 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by phyzome » Thu Nov 24, 2016 4:13 pm

This is on NS 2.9.0.14 and Firefox ESR 45.4.0. And... I just checked for updates again, although I swear I did that the other day, and I see updates for NoScript. Will upgrade and report back, although it may take a day for the popup to come 'round again. (If I forget to respond, assume it didn't happen again, although I will try to report back.)
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

phyzome
Posts: 6
Joined: Wed Aug 12, 2009 6:52 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by phyzome » Thu Nov 24, 2016 4:16 pm

Confirmed in 2.9.5.1 as well.
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by Thrawn » Fri Nov 25, 2016 2:55 am

NoScript isn't doing anything to cause the popup except to send traffic to Giorgio's echo service. Why the router asks for your password I'm not sure.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by barbaz » Fri Nov 25, 2016 3:01 am

Thrawn wrote:NoScript isn't doing anything to cause the popup except to send traffic to Giorgio's echo service.

I would think it'd be the fingerprinting of the WAN IP that causes it, no?

Would probably need insight from Giorgio as to why some people get prompted for the router password where others don't.
*Always* check the changelogs BEFORE updating that important software!
-

phyzome
Posts: 6
Joined: Wed Aug 12, 2009 6:52 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by phyzome » Fri Nov 25, 2016 3:51 am

barbaz wrote:I would think it'd be the fingerprinting of the WAN IP that causes it, no?


Yes, that's my guess. This router doesn't even respond to HTTP on its WAN side, but it will respond on the LAN side when *addressed* by its WAN IP.

barbaz wrote:Would probably need insight from Giorgio as to why some people get prompted for the router password where others don't.


I think most newer routers use an HTML login form instead of an HTTP Basic Auth login; that would account for some differences. Presumably the way NS is making the request is allowing user interaction prompts instead of being a "headless" request or whatever.
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by Thrawn » Mon Nov 28, 2016 1:17 am

The thing is, NoScript isn't trying to talk to the router. It's just asking a remote echo service to tell it the apparent (ie external) address of the router. I'm not sure what component is turning that into a request aimed at that address.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

phyzome
Posts: 6
Joined: Wed Aug 12, 2009 6:52 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by phyzome » Mon Nov 28, 2016 2:02 am

Someone said that there are two steps: 1) NS asks for the WAN IP, and 2) NS talks to the router to fingerprint it. I don't know what #2 is supposed to accomplish, but that's where I imagine this prompt is coming from.

I can try to run another capture, but I remember seeing a NS-specific User-Agent header in the request, which means NS is behind this. As I recall it, it appears to match this changelog message:

NoScript addons.mozilla.org release 2.0.1rc2

v 2.0.1rc2
==========================================================================
+ [ABE] "X-ABE-Fingerprint: Off" header can be sent by web servers which
don't want/need to be fingerprinted by ABE's WAN IP protection
+ [ABE] User agent header "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)"
is sent to help administrators finding info about ABE's fingerprinting
x [ABE] Fingerprint checks are performed every 15 minutes, rather than 5
x Fixed early access to document.documentElement breaking XBL bindings
on SeaMonkey trunk (thanks therube for reporting)


Here, you can see the code changes in this unofficial git mirror of NS: https://github.com/avian2/noscript/commit/44f07436ad (why doesn't NS have a public repo?)
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by Thrawn » Mon Nov 28, 2016 2:16 am

Huh, I had previously completely missed the fact that the WAN protection feature does in fact talk to the router directly, to fingerprint it and determine whether or not it needs to consult the echo service to recheck the external IP.

Unfortunately I'm still not sure whether NoScript can do anything to avoid this popup (except disabling the WAN IP check). It's coming from the router.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by barbaz » Mon Nov 28, 2016 2:37 am

phyzome wrote:Someone said that there are two steps: 1) NS asks for the WAN IP, and 2) NS talks to the router to fingerprint it.

Yes, "someone" did. Who do you think I am, this guy? ;)

You want to write about me on these forums, please say so, thanks.

phyzome wrote:I can try to run another capture,

Before you try anything else, one other thought. Can you please let us know whether you get this popup in a clean profile with only NoScript installed and all defaults?

phyzome wrote:(why doesn't NS have a public repo?)

Because Giorgio hasn't had time to set that up.
*Always* check the changelogs BEFORE updating that important software!
-

phyzome
Posts: 6
Joined: Wed Aug 12, 2009 6:52 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by phyzome » Mon Nov 28, 2016 2:47 am

barbaz wrote:
phyzome wrote:Someone said that there are two steps: 1) NS asks for the WAN IP, and 2) NS talks to the router to fingerprint it.

Yes, "someone" did. Who do you think I am, this guy? ;)

You want to write about me on these forums, please say so, thanks.


Sorry, I have a poor memory and could not immediately discover where I'd seen that. No malice intended!
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by barbaz » Mon Nov 28, 2016 2:54 am

Oh that's OK :)

In order to keep this thread on-topic and spare the inevitable 'barbaz, where exactly did you say that, hmm?' replies, here's one place - viewtopic.php?f=7&t=20790
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
therube
Ambassador
Posts: 7685
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: "WAN IP ∈ LOCAL" HTTP Authentication popup is annoying

Post by therube » Sun Dec 04, 2016 5:00 pm

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46

Post Reply