Re: solution time for www/smtp hole
Date: Fri, 13 Aug 93 14:16:10 EDT
Original-From: hotsand!rhb (Rich Brandwein)
Message-id: <9308131816.AA07061@hotsand.dacsand>
Subject: Re: solution time for www/smtp hole
Status: RO
>  My apologies, I sent this to Marc personally the first time.
>  On Fri, 13 Aug 93 01:27:32 -0500  Marc Andreessen wrote:
>  > With that in mind, suppose we take the approach of only outlawing a
>  > few ports as opposed to restricting the valid range to a given set
>  > (both approaches have been suggested).  What ports other than 25
>  > should be outlawed?
>  I don't think that exclusion is the way to go.  If we're going to exclude
>  any services listed in the Assigned Numbers RFC (rfc1340 right now) that
>  look like they might be dangerous, we'd better exclude 71-74 (Remote Job
>  Service), 82 (XFER Utility), etc.  Most of the "funky" ports that are
>  currently in use are already officially assigned to something else, and
>  when you connect to port 82 on you can't be sure whether
>  you're getting the XFER utility or the httpd that someone stuck on some
>  random port.
>  With exclusion, you can never be sure that you excluded enough.
>  Yes, it will require people to redo their configurations, but arguably,
>  any configuration with an HTTP server running on a port <1024 != 80 is
>  wrong.  I think that any non-experimental additional HTTP servers should
>  either get assigned numbers from the IANA or use ports >1024 .

Once again, let me jump in and agree and point out that today's Friday the 13th
(let's fix it before a black cat crosses our path...).  Since 81-85 ports
seem to be assigned, the use of port 80 only (and >1024 seems fine).  Let's
get the thing fixed "officially" before the "cat's out of the bag".  I would
have liked to have avoided distributing multiple fixes, but the process seems to
have failed.

Rich Brandwein