Closed Bug 1687282 Opened 3 years ago Closed 3 years ago

Undo port blocking for port 554

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix

People

(Reporter: freddy, Assigned: freddy)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [necko-triaged])

Attachments

(1 obsolete file)

Chrome folks tell us they discovered breakage with blocking port 554 (RTSP). While I'm still a bit unsure about the specifics, I'd rather move carefully than break something of severe importance.

Assignee: nobody → fbraun
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]

The specifics seem to be that they found some enterprises that use that port to serve their their proxy.pac file.
https://bugs.chromium.org/p/chromium/issues/detail?id=1164418

The patch also mentions crbug.com/1148309 but it's restricted. Might be their original slip-stream bug?
https://github.com/web-platform-tests/wpt/commit/f67cae457639f098da3b09992d7c88a46147fee8

If we've not gotten complaints from our enterprises (the port blocking list is customizable via prefs, but I don't know if it's exposed to Group Policy) maybe we should leave this in for now. People shouldn't be setting up non-standard services on a reserved port (< 1024) anyway, and this is exactly why.

Mike: have you heard anything?

Flags: needinfo?(mozilla)

Out of band, it was shared that this may involve Cisco Ironport products, but searching through their public manuals did not help. I tried a GitHub code search but couldn't find any significant HTTP-related usages of port 554 there.

I haven't heard anything, and I find it odd someone would server the proxy PAC over a different port.

And yes, this can be configured via policy.

Flags: needinfo?(mozilla)

Port 554 was blocked due to security reason. Why unblocking the port does not re-introduce the security bug?

Yeah, unblock It would reintroduce the security issue, which is why we're weighing it in this bug.
As mentioned above, Chrome found some enterprise issues, that I wanted to flag here and bring up for consideration.
Looking at Mike's comment 4, it seems that we don't have to unblock for all users and can allow enterprises to unblock for themselves, if they find breakage.

In summary, it looks as though we can close this as WONTFIX, unless I hear any objection.

See Also: → 1689107

There is no consensus as to whether we ought to block port 554 in standards. I'll err on the side of user safety and keep this bug waiting.
There might be more once there is either consensus or significant breakage.

See Also: → https://github.com/whatwg/fetch/pull/1148

Looks like port 554 is very unpopular, note this is 1% of loads from the group of (554, 1719, 1720, 1723, 6566, 10080), which in itself is only seen for one in a million requests.

Suggesting we WONTFIX here.

Chrome is still on the fence for 10080, which we'll have to resolve in another bug (if at all).

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
Attachment #9197742 - Attachment is obsolete: true
Has Regression Range: --- → yes
See Also: → 1685765
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: