Gaping Security Hole

Gaping Security Hole

Back in the days of yore, when browsers were new and NAT didn't yet exist at any significant scale, the difference between the local network and the Internet was just that your local network was things like 129.234.235.236 (a Durham University IP from the UK), while the website you wanted to visit was in a different netblock (e.g. 193.60.80.100, an IP at Cambridge University). There was no good way for a browser to know that someone on 129.234.235.236/24 considered 129.234.0.0/16 as "local", and everything else as "remote", so browsers allowed you to make HTTP requests to any IP address.

Further, the attackers of that era didn't know the difference either - you could make educated guesses, but you would not know whether 129.234.235.236 is inside the Durham firewall, and has access to 129.234.1.2 that you don't, or whether the Durham firewall treats 129.234.235.236 as dangerous, too.

This has changed - it's now a good guess on an attacker's part that 192.168.1.254 has your home router management interface if you're using BT Broadband, for example. Thus, the threat model is different, because you think of 192.168.1.254 as "private and protected", whereas in the days of yore, 129.234.1.2 was always thought of as publicly addressable.