Behave! is a new browser extension for Google Chrome and Mozilla Firefox that is designed to inform its users when sites misbehave by performing port scans or access private IP addresses. The extension may also work in other Chromium-based and Firefox-based browsers but I have not tested that.
Behave! should not be confused with the Firefox extension behind!, which we reviewed yesterday. The new extension reveals when sites scan local ports or access private IPs. We revealed in May 2020 that eBay and other major sites were running port scans on user systems as soon as the browser connected to these sites.
The sites checked ports used by local remote software and used for fraud detection as remote software may be used for that purpose. Users on the other hand voiced concern that the port scanning was unethical and an invasion of privacy.
The browser extension Behave! monitors web pages for certain activity, and informs the user if it notices it. One of the main features of the extension is that it detects port scanning and will reveal as much immediately.
The extension adds an icon to the toolbar of the browser and changes the color of the icon based on its findings. A click on the icon displays information about the activity of sites in the browser sorted by method.
- For IP access, Behave! lists the target IP and port, target host, and the host the request originated from.
- For Port scans, it lists the port, host, and the from host.
- For Rebinding scans, it lists the hosts, IPs and from host.
Behave! detects browser based port scans, access to private IPs, and DNS rebinding attacks to private IPS.
The extension comes with a basic set of preferences that let you change the portscan threshold, enable or disable the monitoring, and to enable or disable Windows notifications.
The open source extension is developed by Stefano Di Paola, the co-founder and CTO of MindedSecurity.
Technically speaking, Behave! “will alert if a web page tries to directly access […] an IP belonging to any of the following blocks”:
- Loopback addresses IPv4 127.0.0.1/8
- Loopback addresses IPv6 ::1/128
- Private Networks IPv4 10.0.0.0/8 – 172.16.0.0/12 – 192.168.0.0/16
- Unique Local Addresses IPv6 fc00::/7
Behave! notifies users if sites misbehave or if DNS rebinding attacks are performed. The extension comes without any options to block the site behavior. The developer plans to introduce new features in future versions of the extension. Plans are underway to integrate a whitelist in the application and an option to “track back the code performing the suspicious activity”.