Intent to Implement and Ship: Block HTTP ports 69, 137, 161, 1719, 1720, 1723, and 6566

254 views
Skip to first unread message

Adam Rice

unread,
Jan 28, 2021, 8:58:09 AMJan 28
to blink-dev

Contact emails

ri...@chromium.org

Explainer

None

Specification

https://fetch.spec.whatwg.org/#port-blocking

Summary

Connections to HTTP, HTTPS or FTP servers on ports 69, 137, 161, 1719, 1720, 1723 or 6566 will fail. This is a mitigation for the NAT Slipstream 2.0 attack: https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/. It helps developers by keeping the web platform safe for users.


This security fix has already shipped in version 87.0.4280.117. This intent has been delayed until the vulnerability was publicly disclosed.



Blink component

Internals>Network

TAG review

No TAG review as this is a security fix.

TAG review status

Not applicable

Risks



Interoperability and Compatibility

Safari, Firefox and Chrome have coordinated to fix this issue, so interoperability risk is small. Existing web servers on the affected ports will no longer be accessible. Since it is not common practice to run servers on these ports, the impact is expected to be small.



Gecko: Shipped/Shipping (https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/)

Edge: Shipped/Shipping (https://msrc.microsoft.com/update-guide/vulnerability/ADV200002)

WebKit: Shipped/Shipping (https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/)

Web developers: No signals

Security

This is a mitigation for a known attack. The underlying issue of NAT devices being tricked into creating port forwards cannot be fixed in the browser.



Is this feature fully tested by web-platform-tests?

Yes

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5671629327695872

This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Jan 28, 2021, 9:37:29 AMJan 28
to Adam Rice, blink-dev
LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdxmy%2BnbtacO9sK2v7QhvMn_g2CQdwO8%2B2EYLb_sjEN0Ag%40mail.gmail.com.

Manuel Rego Casasnovas

unread,
Jan 28, 2021, 10:08:53 AMJan 28
to Yoav Weiss, Adam Rice, blink-dev
LGTM2

On 28/01/2021 15:37, Yoav Weiss wrote:
> LGTM1
>
> On Thu, Jan 28, 2021 at 3:00 PM Adam Rice <ri...@chromium.org
> <mailto:ri...@chromium.org>> wrote:
>
>
> Contact emails
>
> ri...@chromium.org <mailto:ri...@chromium.org>
>
>
> Explainer
>
> None
>
>
> Specification
>
> https://fetch.spec.whatwg.org/#port-blocking
> <https://fetch.spec.whatwg.org/#port-blocking>
>
>
> Summary
>
> Connections to HTTP, HTTPS or FTP servers on ports 69, 137, 161,
> 1719, 1720, 1723 or 6566 will fail. This is a mitigation for the NAT
> Slipstream 2.0 attack:
> https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/
> <https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/>.
> It helps developers by keeping the web platform safe for users.
>
>
> This security fix has already shipped in version 87.0.4280.117. This
> intent has been delayed until the vulnerability was publicly disclosed.
>
>
>
> Blink component
>
> Internals>Network
> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork>
>
>
> TAG review
>
> No TAG review as this is a security fix.
>
>
> TAG review status
>
> Not applicable
>
>
> Risks
>
>
>
> Interoperability and Compatibility
>
> Safari, Firefox and Chrome have coordinated to fix this issue, so
> interoperability risk is small. Existing web servers on the affected
> ports will no longer be accessible. Since it is not common practice
> to run servers on these ports, the impact is expected to be small.
>
>
>
> Gecko: Shipped/Shipping
> (https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/
> <https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/>)
>
> Edge: Shipped/Shipping
> (https://msrc.microsoft.com/update-guide/vulnerability/ADV200002
> <https://msrc.microsoft.com/update-guide/vulnerability/ADV200002>)
>
> WebKit: Shipped/Shipping
> (https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/
> <https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/>)
>
> Web developers: No signals
>
>
> Security
>
> This is a mitigation for a known attack. The underlying issue of NAT
> devices being tricked into creating port forwards cannot be fixed in
> the browser.
>
>
>
> Is this feature fully tested by web-platform-tests
> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
>
> Yes
>
>
> Link to entry on the Chrome Platform Status
>
> https://chromestatus.com/feature/5671629327695872
> <https://chromestatus.com/feature/5671629327695872>
>
> This intent message was generated by Chrome Platform Status
> <https://www.chromestatus.com/>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdxmy%2BnbtacO9sK2v7QhvMn_g2CQdwO8%2B2EYLb_sjEN0Ag%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEjfcJQ1SDi-w9OgN69U4gEY89XG3LBuSkx5DTiqKpme2Q%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEjfcJQ1SDi-w9OgN69U4gEY89XG3LBuSkx5DTiqKpme2Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Rick Byers

unread,
Jan 28, 2021, 11:01:50 AMJan 28
to Manuel Rego Casasnovas, Yoav Weiss, Adam Rice, blink-dev
Thanks for doing this intent retroactively!

I assume the list of blocked ports in the fetch spec (and any associated WPT tests) is being updated with these new ports, is that right? Is there a PR you can link to here?

LGTM3 assuming such a PR is in progress.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/47ca8b86-130b-eddf-3b35-4b1f3f45ee62%40igalia.com.

Armando Magalhaes

unread,
Jan 28, 2021, 12:14:08 PMJan 28
to Manuel Rego Casasnovas, Yoav Weiss, Adam Rice, blink-dev
LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/47ca8b86-130b-eddf-3b35-4b1f3f45ee62%40igalia.com.

Frederik Braun

unread,
Jan 29, 2021, 12:16:47 PMJan 29
to blin...@chromium.org
https://github.com/whatwg/fetch/pull/1148

Am 28.01.21 um 17:01 schrieb Rick Byers:
> Thanks for doing this intent retroactively!
>
> I assume the list of blocked ports
> <https://fetch.spec.whatwg.org/#port-blocking> in the fetch spec (and
> any associated WPT tests) is being updated with these new ports, is that
> right? Is there a PR you can link to here?
>
> LGTM3 assuming such a PR is in progress.
>
> On Thu, Jan 28, 2021 at 10:08 AM Manuel Rego Casasnovas <re...@igalia.com
> <mailto:re...@igalia.com>> wrote:
>
> LGTM2
>
> On 28/01/2021 15:37, Yoav Weiss wrote:
> > LGTM1
> >
> > On Thu, Jan 28, 2021 at 3:00 PM Adam Rice <ri...@chromium.org
> <mailto:ri...@chromium.org>
> > <mailto:ri...@chromium.org <mailto:ri...@chromium.org>>> wrote:
> >
> >
> >             Contact emails
> >
> >     ri...@chromium.org <mailto:ri...@chromium.org>
> <mailto:ri...@chromium.org <mailto:ri...@chromium.org>>
> >     <https://www.chromestatus.com/ <https://www.chromestatus.com/>>.
> >
> >     --
> >     You received this message because you are subscribed to the Google
> >     Groups "blink-dev" group.
> >     To unsubscribe from this group and stop receiving emails from it,
> >     send an email to blink-dev+...@chromium.org
> <mailto:blink-dev%2Bunsu...@chromium.org>
> >     <mailto:blink-dev+...@chromium.org
> <mailto:blink-dev%2Bunsu...@chromium.org>>.
>  <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdxmy%2BnbtacO9sK2v7QhvMn_g2CQdwO8%2B2EYLb_sjEN0Ag%40mail.gmail.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdxmy%2BnbtacO9sK2v7QhvMn_g2CQdwO8%2B2EYLb_sjEN0Ag%40mail.gmail.com?utm_medium=email&utm_source=footer>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "blink-dev" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to blink-dev+...@chromium.org
> <mailto:blink-dev%2Bunsu...@chromium.org>
> > <mailto:blink-dev+...@chromium.org
> <mailto:blink-dev%2Bunsu...@chromium.org>>.
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEjfcJQ1SDi-w9OgN69U4gEY89XG3LBuSkx5DTiqKpme2Q%40mail.gmail.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEjfcJQ1SDi-w9OgN69U4gEY89XG3LBuSkx5DTiqKpme2Q%40mail.gmail.com?utm_medium=email&utm_source=footer>>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to blink-dev+...@chromium.org
> <mailto:blink-dev%2Bunsu...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/47ca8b86-130b-eddf-3b35-4b1f3f45ee62%40igalia.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/47ca8b86-130b-eddf-3b35-4b1f3f45ee62%40igalia.com>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-21LwPhwBQo_wvA0Fe%3DXo77-wgwrW5AzAQnp7WLzTpBg%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-21LwPhwBQo_wvA0Fe%3DXo77-wgwrW5AzAQnp7WLzTpBg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages