Hi,
A couple of weeks ago, I have added the ports mentioned above to the
existing list of blocked ports.
The additional port blocking is in response to an improvement of last
year's "NAT slipstreaming" attack, see footnote [1] for more.
Again, we acknowledge that this stops an instance of the attack rather
than solving the problem, which will have to happen elsewhere.
This announcement was delayed for the sake of coordinated disclosure
with other vendors.
Bugs: 1677940 and 1677047
Standard: If all goes well, this will be in fetch
<
https://github.com/whatwg/fetch/pull/1148>
Platform coverage: on all paltforms
Preference: We can revert this using the existing
network.security.ports.banned.override pref
DevTools bug: N/A
Other browsers: Blink shipped
web-platform-tests: Coming.
Thanks,
Freddy
[1]
<
https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/>