347393 - Online banking in 3 Baltic states - Hansapank uses port 563, which Firefox blocks

Status: RESOLVED FIXED

(Firefox :: General, defect)

Description

[Eugene Savitsky]

1. Open https://www.telehansa.net/cgi-bin/thnet?language=ENG
2. Just hit the "Enter with ID-Card" button.
3. The URL is https://www.telehansa.net:563/cgi-bin/thnet
4. In FF2b1 you'll get: 
This address is restricted
This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.

No banking is possible. The Hansapank is the major bank in all 3 Baltic states (Estonia, Latvia, Lithuania) and started business in Russia.

Comment 1

[Eugene Savitsky]

The https://www.telehansa.net is made for business.

For the private users they use this banking domain:
https://www.hanza.net/cgi-bin/hanzanet?language=ENG

and the ID-card link is
https://www.hanza.net:563/cgi-bin/hanzanet

Comment 2

[Mats Palmgren (inactive)]

There is a hidden pref to override this security feature in about:config.

network.security.ports.banned.override

It can be set to one or more (comma separated) ports that should be allowed.


*** This bug has been marked as a duplicate of 85601 ***

Comment 3

[Eugene Savitsky]

So, every user must change it by hand? In FF1.5 it works well without any modding.

BTW I did not installed the FF 2.0 Beta 2 yet.

Comment 4

[Phil Ringnalda (:philor)]

*** Bug 355259 has been marked as a duplicate of this bug. ***

Comment 5

[Daniel Veditz [:dveditz]]

Un-duping. The other bug asks for a generic UI to make setting this easier. The Estonian bank problem can be fixed in other ways e.g. backing out part of bug 301762. "Depends on" maybe.

We can certainly point fingers of blame around (see RFCs that clearly say ports 256-1024 are reserved for standard services -- that means not websites), but if there are really that many users maybe that outweighs theoretical server attacks on the NNTP service.

Comment 6

[Boris Zbarsky [:bzbarsky]]

Have we tried contacting this bank yet?

Comment 7

[C. Fox]

(In reply to comment #5)
> Un-duping. The other bug asks for a generic UI to make setting this easier. The
> Estonian bank problem can be fixed in other ways e.g. backing out part of bug
> 301762. "Depends on" maybe.

Such a UI could specify per site, much like the pop=up blocker and extension server whitelist. So the port would only be open on the banking site.

Comment 8

[Mike Beltzner [:beltzner, not reading bugmail]]

Unduping is fine, but we're still not going to block Firefox 2 on this bug. Adding relnote keyword, I suppose. Suggesting we also open a tech evangelism bug.

Comment 9

[Eugene Savitsky]

Actually it's not only Estonia, but Latvia and Lithuania also.

Comment 10

[Chris Lawson (gone)]

(In reply to comment #8)
> Suggesting we also open a tech evangelism bug.

Mike, was this ever done? I don't see one, and I agree that our primary strategy on this issue should be to convince the bank to stop using port 563.

Comment 11

[Eugene Savitsky]

Now the issue is gone for the bank. May we close it or should it be open for future problems?

Comment 12

[Chris Lawson (gone)]

Well, there's no need to open a TE bug any more, that's for sure :)

It's not exactly clear to me what this bug is asking for at this point. Is the desire to have per-site security exception UI so that specific sites can use specific non-standard ports (basically comment 7)?

If so, that seems a little silly to me. Why are these sites using non-standard ports for things they shouldn't be using them for? Wouldn't it be better to keep the about:config setting described in comment 2 and file TE bugs on the affected sites in an attempt to convince them that they're doing something wrong?

Comment 13

[Jesse Ruderman]

There's no need to morph this into a dup of bug 85601, either :)