bcc net-dev@, security-dev@
Primary eng (and PM) emails
mk...@chromium.org, pal...@chromium.org
Summary
I'd like to add ports 9100, 6697, and 631 to our "bad ports" list, as they represent protocols that fail to handle HTTP requests in a secure way. For example, `http://server:9100/` will, with some cleverness, expose all the print jobs on a networked printer.
Motivation
http://hacking-printers.net/wiki/index.php/Cross-site_printing describes the issues with port 9100 in some detail. In short: printers don't understand HTTP, and can be convinced to echo arbitrary text through creative abuse of the AppSocket protocol.
Similar issues exist for the Internet Printing Protocol over 631.
We already blocked 6697 in https://crbug.com/676951 without much public discussion. Sorry about that!
Compatibility And Interoperability Risk
We don't have numbers for these ports, but my expectation is that they won't be used in HTTP requests on legitimate sites, as they're reserved for non-HTTP protocols, meaning that endpoints expected to be on these ports don't speak HTTP.
I've started a conversation on Fetch at https://github.com/whatwg/fetch/issues/482, and I expect other vendors should be on board once they see it.
Alternative implementation suggestion for web developers
Developers can embed resources from HTTP servers, rather than from printers.
Usage information from UseCounter
None.
OWP launch tracking bug
https://crbug.com/687530 and https://crbug.com/676951.
Entry on the feature dashboard
I'm happy to create entries if it's helpful for folks writing blog posts, but I don't think it makes sense to list each port we block individually, nor does it really make sense to have an arbitrary grouping of ports. *shrug* How would y'all like me to structure this?
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
I imagine some developers randomly picking a port for their local environment, ending up using one of those ports, confused about why it does not work (or worse, why it stopped working).As long as there is a non-cryptic error message in the console ("Blocked a request to an unsafe port (6697). Try using a different port." and perhaps even a "learn more" link if you want to be nice), I agree that no announcement should be made.
On Tue, 7 Feb 2017 11:28:46 +0100
Mike West <mk...@chromium.org> wrote:
> I'd like to add ports 9100, 6697, and 631 to our "bad ports
> <https://fetch.spec.whatwg.org/#bad-port>" list, as they represent
> protocols that fail to handle HTTP requests in a secure way. For
> example, ` http://server:9100/` will, with some cleverness, expose
> all the print jobs on a networked printer.
631 is used by cups for the local webinterface.
I imagine some developers randomly picking a port for their local environment, ending up using one of those ports, confused about why it does not work (or worse, why it stopped working).
As long as there is a non-cryptic error message in the console ("Blocked a request to an unsafe port (6697). Try using a different port." and perhaps even a "learn more" link if you want to be nice), I agree that no announcement should be made.A single entry can be created for all of the standard unsafe ports Chrome blocks (and another one for all of the nonstandard ones, for transparency and red colors on the dashboard), though it is really not of high priority, in my opinion.
LGTM to deprecate, but I agree that we should have hard data on the expected level of breakage before we agree to remove.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Adding a counter that splits on <1024 (system ports), <49152 (maybe-static ports) and >=49152 (certainly-dynamic ports) seems doable.