Intent to Implement and Ship: Block ports 989 and 990

[Adam Rice]

Contact emails

ri...@chromium.org

Specification

https://fetch.spec.whatwg.org/#port-blocking

Summary

Connections to HTTP, HTTPS or FTP servers of ports 989 and 990 will fail. These ports are used by the FTPS protocol, which has never been implemented in Chrome. However, FTPS servers can be attacked in a cross-protocol attack by malicious web pages using carefully-crafted HTTPS requests.

This is a mitigation for the ALPACA attack. See https://alpaca-attack.com/.

Blink component

Internals>Network

TAG review

TAG review status

Not applicable

Risks

Interoperability and Compatibility

Firefox is blocking this port. While there hasn't been feedback from Safari, they generally align with the Fetch standard on port blocks. This will inescapably cause problems for developers running servers on port 989 and 990. They will have to move to a different port. We strongly recommend using port 80 for HTTP and 443 for HTTPS to avoid the risk of future blocks.

Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1715684)

WebKit: No signal

Web developers: Mixed signals (https://twitter.com/TypeSong/status/1402997949991243778)

Ergonomics

No impact.

Activation

None needed.

Security

This is a security improvement. The main risk is that we will have to block more ports in future.

Debuggability

Not needed.

Is this feature fully tested by web-platform-tests?

Yes

Flag name

Launch bug

https://crbug.com/1197149

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5678858554572800

This intent message was generated by Chrome Platform Status.

[Yoav Weiss]

LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdznr0q3-x0wHMr2BWJ-4nuWVPjDp_wc0DD-Gofc5K2j2A%40mail.gmail.com.

[Mike West]

LGTM2, given the context.

That said, I think you're correct that the steady drip of blocks we need to enact in order to protect users and the services they depend on is going to continue. I'd suggest that it makes sense to spend some time on https://github.com/whatwg/fetch/issues/1189 in the hopes of inverting the list.

-mike

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWYXH0nftfpLRkKjgHd0LK_7u7jXKNaqwsTK_w6gdfF1w%40mail.gmail.com.

[Manuel Rego Casasnovas]

LGTM3.

Can we send a heads-up email to webkit-dev (https://bit.ly/blink-signals)?

Cheers,
Rego

On 18/06/2021 08:05, Mike West wrote:
> LGTM2, given the context.
>
> That said, I think you're correct that the steady drip of blocks we need
> to enact in order to protect users and the services they depend on is
> going to continue. I'd suggest that it makes sense to spend some time
> on https://github.com/whatwg/fetch/issues/1189
> <https://github.com/whatwg/fetch/issues/1189> in the hopes of inverting
> the list.
>
> -mike
>
>
> On Fri, Jun 18, 2021 at 7:05 AM Yoav Weiss <yoav...@chromium.org
> <mailto:yoav...@chromium.org>> wrote:
>
> LGTM1
>
> On Thu, Jun 17, 2021 at 9:35 PM Adam Rice <ri...@chromium.org
> <mailto:ri...@chromium.org>> wrote:
>
>
> Contact emails
>

> ri...@chromium.org <mailto:ri...@chromium.org>
>
>
> Specification
>
> https://fetch.spec.whatwg.org/#port-blocking

> <https://fetch.spec.whatwg.org/#port-blocking>
>
>
> Summary
>
> Connections to HTTP, HTTPS or FTP servers of ports 989 and 990
> will fail. These ports are used by the FTPS protocol, which has
> never been implemented in Chrome. However, FTPS servers can be
> attacked in a cross-protocol attack by malicious web pages using
> carefully-crafted HTTPS requests.
>
>
> This is a mitigation for the ALPACA attack. See

> https://alpaca-attack.com/ <https://alpaca-attack.com/>.
>
>
>
> Blink component
>
> Internals>Network
> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork>

>
>
> TAG review
>
>
>
> TAG review status
>
> Not applicable
>
>
> Risks
>
>
>
> Interoperability and Compatibility
>
> Firefox is blocking this port. While there hasn't been feedback
> from Safari, they generally align with the Fetch standard on
> port blocks. This will inescapably cause problems for developers
> running servers on port 989 and 990. They will have to move to a
> different port. We strongly recommend using port 80 for HTTP and
> 443 for HTTPS to avoid the risk of future blocks.
>
>
>
> Gecko: Shipped/Shipping
> (https://bugzilla.mozilla.org/show_bug.cgi?id=1715684

> <https://bugzilla.mozilla.org/show_bug.cgi?id=1715684>)

>
> WebKit: No signal
>
> Web developers: Mixed signals
> (https://twitter.com/TypeSong/status/1402997949991243778

> <https://twitter.com/TypeSong/status/1402997949991243778>)

>
>
> Ergonomics
>
> No impact.
>
>
>
> Activation
>
> None needed.
>
>
>
> Security
>
> This is a security improvement. The main risk is that we will
> have to block more ports in future.
>
>
>
> Debuggability
>
> Not needed.
>
>
>
> Is this feature fully tested by web-platform-tests

> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?

>
> Yes
>
>
> Flag name
>
>
>
> Launch bug
>

> https://crbug.com/1197149 <https://crbug.com/1197149>

>
>
> Link to entry on the Chrome Platform Status
>
> https://chromestatus.com/feature/5678858554572800
> <https://chromestatus.com/feature/5678858554572800>
>
> This intent message was generated by Chrome Platform Status

> <https://www.chromestatus.com/>.

>
> --
> You received this message because you are subscribed to the
> Google Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to blink-dev+...@chromium.org

> <mailto:blink-dev+...@chromium.org>.

> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdznr0q3-x0wHMr2BWJ-4nuWVPjDp_wc0DD-Gofc5K2j2A%40mail.gmail.com

> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdznr0q3-x0wHMr2BWJ-4nuWVPjDp_wc0DD-Gofc5K2j2A%40mail.gmail.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to blink-dev+...@chromium.org

> <mailto:blink-dev+...@chromium.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWYXH0nftfpLRkKjgHd0LK_7u7jXKNaqwsTK_w6gdfF1w%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWYXH0nftfpLRkKjgHd0LK_7u7jXKNaqwsTK_w6gdfF1w%40mail.gmail.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org

> <mailto:blink-dev+...@chromium.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DckN5s%3DP6WBS2xVrWhjbnOV8F61khLXNKrs0neaoCfNNg%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DckN5s%3DP6WBS2xVrWhjbnOV8F61khLXNKrs0neaoCfNNg%40mail.gmail.com?utm_medium=email&utm_source=footer>.