Closed Bug 147890 Opened 22 years ago Closed 22 years ago

Access to port 7 (echo) is disabled.

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 92769

People

(Reporter: bwucke+bug, Unassigned)

References

()

Details

To reproduce:
1. Enter the URL above.

Actual results: "Access to this port has been disabled for security reasons"
requester is displayed.

Expected results: "Access denied" requester is displayed. If the host was
actually running the echo service, all the headers sent by the browser should be
displayed.
If the remote server runs some other service, like http or ftp on port 7, normal
connection should be estabilished.

Ican't really see, what "security reasons" make you disable this port. It's very
comfortable for debugging purposes to visit a friendly host with echo enabled,
just to see what your browser says upon connecting. It also disables all valid
services running on this port, and this kind of protection is kinda lame, since
one can run echo on different port and it will be possible to connect to it
flawlessly. IMHO this just limits the freedom of the free software, restricting
the user from using the software for certain purposes.
There is a pref for overriding the blocking.
See bug 85601

*** This bug has been marked as a duplicate of 92769 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Please  read comment 3 to bug 85601. Although I agree that this "security" thing
is pretty moronish. Well, after all, the sourcesa are open, so we can get 'em
and recompile it the way we want...
This is to protect the _server_ from the _client_.  That is, to protect echo 
servers from buffer overrun attacks by Mozilla, for example.
The sources are under heavy development, patching nev version before recompiling
every few days is no fun. Besides, there's a ton of other techniques.
That's true owner of a page that's visited frequently enough can set up a small
script that launches in some hidden frame, flooding the target server from
machines of all clients that visit that page. With enough of them, the DDoS
attack would get quite effective. There's one problem though: Why the hell would
he use such low-CPU and bandwidth-intensive services like Echo, Discard, Daytime
or Finger, if he could flood port 80 with much better effect?

You should immediately and unconditionally add port 80 to the black list! ;)
denial of service is not the only problem with the situation.
-> security
V/dupe.
Status: RESOLVED → VERIFIED
Component: Networking → Security: General
You need to log in before you can comment on or make changes to this bug.