Re: lynx-dev [PATCH] Blocking common ports

[Ulf H{rnhammar]

On Wed, Sep 04, 2002 at 11:18:19AM -0600, address@hidden wrote:
> I dislike this practice.  Protection should be the responsibility
> of the server, not the client.

Many Lynx developers seem to disagree, as the program blocks a few ports
already, as well as having options such as realms and restrictions.

> You don't know what the server may
> attempt to serve on what port.

Not in theory, no. In practice, people seem to follow IANA's recommendations
pretty closely. If something answers on port 110 at all, you can be pretty
sure it is a POP3 server.

> For example, at one time, the
> National Instute of Standards and Technology had on one of its pages:
> 
> <A HREF="http://india.colorado.edu:13/";> See the correct time. </A>
> 
> Simple, clever, effective, and harmless (I assume that they had the
> permission of colorado.edu; in fact, I suspect india was NIST's
> domain, borrowed from U. of C.)

Lame! By clicking that link, a web client tries to talk HTTP with a server
that doesn't support it. The server will rudely talk before the client has
sent a query, and the answer from the server will be interpreted as an
HTTP header by the client. Any web client that supports this flagrant
misuse of standards is too kind.

> But too many browsers (and the proxy I use) started to do what you propose,
> and NIST needed to run an additional time daemon on a different port.
> 
> > +               if (value > 65535 || value < 0 ||
> > +                   value == 13 || value == 19 ||
> 
> I'm opposed.

I'm willing to discuss what ports should be blocked, but the current
situation where port 25 is blocked but not port 587 that does something
similar is just silly. I don't really understand why Lynx needs to be able
to talk HTTP with DNS servers either (lynx http://ns1.somesite.st:53/).
I think anyone who tries that is up to some kind of mischief.

// Ulf Harnhammar
address@hidden
http://www.metaur.nu/

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden