Re: Restricted ports

Tony Sanders <sanders@bsdi.com>
Errors-To: sanders@bsdi.com
Errors-To: sanders@bsdi.com
Message-id: <9308130510.AA17000@austin.BSDI.COM>
To: www-talk@nxoc01.cern.ch
Subject: Re: Restricted ports 
In-Reply-To: Charles Henrich's message of Thu, 12 Aug 93 21:32:23 EDT.
Errors-To: sanders@bsdi.com
Reply-To: sanders@bsdi.com
Organization: Berkeley Software Design, Inc.
Date: Fri, 13 Aug 1993 00:10:49 -0500
From: Tony Sanders <sanders@bsdi.com>
Status: RO
> While I acknowledge that something should be done, Id be much more in favor of
> excluding ports, rather than including ports.  I.e. disallow 25, instead of
> allowing only 80, 70 etc..  Excluding all ports could cause havoc here, as
> currently my server uses 3 ports (80 through 83).
First off we are only talking about restricting gopher (I hope).
HTTP can't talk to SMTP anyway so no point in restricting it.

Second, if you are using anything below 1024 other than 80 for HTTP then
you are violating the basic principle of those being reserved ports and
you should ask yourself "why" you are using those ports?  Do you
know why they exist?

The basic idea is if you trust the host then you can trust all ports under
1024 to be what they say they are and not users running trojan horses
on them.

HTTP in general has nothing to loose by being spoofed so it doesn't have to
run on a secure port unless you are sending authentication or sensitive
information, and in those cases you should *ONLY* talk to port 80 on
trusted hosts (this is why you should never send anything you want kept
private via email, because it passes through untrusted hosts).

So please don't use ports other than 80 unless they are over 1024.
And browsers should warn users before sending sensitive information
(like userid/passwd in the clear) to ports other than 80.

--sanders