login.deutsche-rentenversicherung.de: breakage

[zWhdmB5T]

Prerequisites

• [X] This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• [X] I read and understand the policy about what is a valid filter issue.
• [X] I verified that this issue is not a duplicate. (Use this button to find out.)
• [X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• [X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• [X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• [X] I am not using uBlock Origin along with other content blockers.
• [X] I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• [X] I have verified that other extensions are not causing the issue.
• [X] If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• [ ] I did not answer truthfully to ALL the above checkboxes.

URL address of the web page

https://login.deutsche-rentenversicherung.de/realms/DRV/broker/eid/login

Category

breakage

Description

Title: Block Outsider Intrusion into LAN Description: Prevents public internet sites from digging into your local LAN files.

Filter ||localhost^$3p,from=~0.0.0.0|~127.0.0.1|~[::1]|~[::]|~local|~localhost
Filterliste Block Outsider Intrusion into LAN
Kontext login.deutsche-rentenversicherung.de
Zugehörigkeit(3) deutsche-rentenversicherung.de ⇒ localhost
Typ websocket
URLws://localhost:24727/eID-Kernel 

Other extensions used

LocalCDN I don't care about cookies IndicateTLS

Screenshot(s)

Screenshot(s)

Configuration

```yaml uBlock Origin: 1.57.2 Firefox: 124 filterset (summary): network: 240673 cosmetic: 100819 scriptlet: 41759 html: 2030 listset (total-discarded, last-updated): added: adguard-generic: 80958-3919, 6m adguard-mobile: 9260-56, 6m adguard-spyware-url: 1494-120, 6m block-lan: 61-0, now curben-phishing: 13993-2, now ublock-annoyances: 6886-74, 6m Δ dpollock-0: 11669-440, now adguard-spyware: 88051-29149, 6m default: user-filters: 0-0, never ublock-filters: 37699-109, 6m Δ ublock-badware: 8317-0, 6m Δ ublock-privacy: 830-1, 6m Δ ublock-unbreak: 2313-2, 6m Δ ublock-quick-fixes: 241-21, 6m Δ easylist: 86192-1660, 6m Δ easyprivacy: 50791-164, 6m Δ urlhaus-1: 13070-0, now plowe-0: 3736-1591, now DEU-0: 7401-53, now filterset (user): [empty] trustedset: added: [array of 6 redacted] hostRuleset: added: [array of 66 redacted] userSettings: contextMenuEnabled: false hiddenSettings: [none] supportStats: allReadyAfter: 206 ms (selfie) maxAssetCacheWait: 121 ms cacheBackend: indexedDB popupPanel: blocked: 16 network: localhost: 16 ```

[JobcenterTycoon]

The eID trying to connect to the installed eID app. Other example request: http://127.0.0.1:24727/eID-Client?Status=json on https://organspende-register.de/erklaerendenportal/registrierung?auswahl=ABGEBEN

Technical: https://www.ausweisapp.bund.de/fuer-diensteanbieter/leitfaden/technische-hinweise

[JobcenterTycoon]

@gwarser

[zWhdmB5T]

With block-list "Block Outsider Intrusion into LAN" enabled, I am able to run successfully with my (German) eID card:

• Organspenderegister resp. Organspenderegister
• Online-Portal des Bundesamts für Justiz resp. Führungszeugnis
• Fahr­eignungs­register

but that one does not work due to a filter (I now set a specific exclusion on my side): Deutschen Rentenversicherung

(I have an exclusion for the last entry, but not for the three above…)

further details:

• Linux openSUSE Leap 15.5
• reinerSCT cyberJack® RFID komfort (USB)
• AusweisApp
• pcsc-cyberjack

[gwarser]

I don't know how to reproduce. (geolocked?)

This will work?

@@||localhost^$from=login.deutsche-rentenversicherung.de

[JobcenterTycoon]

1. Open https://kundenportal.deutsche-rentenversicherung.de/
2. It will redirect to a optionsmenu. Select "(eID)".
3. Scroll down and click on "Registrieren"

Now the site trying to connect to the eID app with a localhost URL ws://localhost:24727/eID-Kernel but Block Outsider Intrusion into LAN blocks the requests.

[zWhdmB5T]

I don't know how to reproduce. (geolocked?)

This will work?

@@||localhost^$from=login.deutsche-rentenversicherung.de

I set it more detailed: @@||localhost:24727/eID-Kernel$websocket,domain=login.deutsche-rentenversicherung.de … but, yes

[zWhdmB5T]

for this issue and similar ones: this site Personalausweisportal - Anwendungensuche lists providers for German eID card services… maybe, there are some more not working without specific exclusions — I haven't tested all of them, just the ones I need myself as listed above (maybe some more in future)

[JobcenterTycoon]

I whitelisted a few more already https://github.com/uBlockOrigin/uAssets/commit/5aa03658027796c3ffae75f3d5be4989fa611da3 problem is a generic whitelist filter would punch holes inside the blocklist which can be exploited by every site for fingerpring or attacking purposes.

[zWhdmB5T]

Would @@||localhost:24727/eID-Kernel$websocket be to generous? (just a humble question — maybe this suggestion is silly…) Otherwise, actually every specific domain has to be provided, indeed, as it is yet. Well, German eID support is growing slowly, i.e. not so many domains to add, maybe (depends on users reporting errors).

For comparison: why didn't I get blocked (it worked without specific user exclusion) at Führungszeugnis resp. Führungszeugnis ? (humble question, but interested, I just don't know…)

[zWhdmB5T]

For comparison: why didn't I get blocked (it worked without specific user exclusion) at Führungszeugnis resp. Führungszeugnis ? (humble question, but interested, I just don't know…)

Oh sorry, I didn't get that it's bund.de as the domain — I was confused because bund.de is just the main domain, but in this case with added subdomain. sorry!

bund.de , indeed, should apply to several cases. :-)

But then, obviously, quite some domains have to be added to whitelist to filter list, haven't they. Probably, not many people use uBlock WITH this specific filter list AND German eID service login (probably more issues otherwise).

[JobcenterTycoon]

Every site can try to connect to the local IP/hostname and port. This is why the Block Outsider Intrusion into LAN blocklist got created, it blocks access to local ressources by sites which are not local. This is why the list is disabled by default because uBO can't differ between "good" and "bad" requests (except for specific whitelist filter).

I searched a bit and i see the government site mv-serviceportal.de is also commonly used. Added to the whitelist now. https://github.com/uBlockOrigin/uAssets/commit/9b1c6358dc502c265cf788630f42d3010388fdd9

@gwarser

@@||127.0.0.1^$domain=~intel.cn|~intel.co.id|~intel.co.jp|~intel.co.kr|~intel.com|~intel.com.br|~intel.com.tw|~intel.de|~intel.fr|~intel.la|~intel.vn

from https://github.com/uBlockOrigin/uAssets/commit/a316bca5909f704dbfbf3d5a5eaa7d2808d623d2 looks wrong. It allows every site a connection to 127.0.0.1 except intel sites.

[gwarser]

I should probably go through the PR way next time :\