Re: Restricted ports

Marc VanHeyningen (mvanheyn@cs.indiana.edu)
Fri, 13 Aug 1993 00:42:02 -0500


Thus wrote: Tony Sanders
>First off we are only talking about restricting gopher (I hope).
>HTTP can't talk to SMTP anyway so no point in restricting it.

Gopher is the only scheme for which concrete vulnerabilities are known
(by me at least) right now. Other schemes (ftp, wais, http, etc.)
seem to be specific enough that if you try to speak them to some other
service, you don't get anything dangerous (or even useful.) However,
any schema added to the URL scheme should include this kind of
consideration, just as new MIME types require a security review. No,
it's not exciting, but it needs to be there.

>So please don't use ports other than 80 unless they are over 1024.
>And browsers should warn users before sending sensitive information
>(like userid/passwd in the clear) to ports other than 80.

I actually wonder sometimes about sites that never use port 80 and
only use high-numbered ones. If the people running the server and the
people with root authority on that machine are not working together at
least enough to allow the server to use the right port, one wonders
about cooperation and stability. I guess I'm guilty of discrimination
against differently-numbered people. (well, actually I just want to
see our stats on the backbone traffic rise. :-)

- Marc

--
Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here