Re: Restricted ports

rhb@hotsand.att.com
Fri, 13 Aug 93 10:33:20 EDT


I strongly agree with arguments on limiting http access to a very
minimal set under 1024 and pushing for servers to either move
their port numbers to this restricted set or above the 1024 level.

****From Tony Sanders***************
Second, if you are using anything below 1024 other than 80 for HTTP then
you are violating the basic principle of those being reserved ports and
you should ask yourself "why" you are using those ports? Do you
know why they exist?

The basic idea is if you trust the host then you can trust all ports under
1024 to be what they say they are and not users running trojan horses
on them.

HTTP in general has nothing to loose by being spoofed so it doesn't have to
run on a secure port unless you are sending authentication or sensitive
information, and in those cases you should *ONLY* talk to port 80 on
trusted hosts (this is why you should never send anything you want kept
private via email, because it passes through untrusted hosts).

So please don't use ports other than 80 unless they are over 1024.
And browsers should warn users before sending sensitive information
(like userid/passwd in the clear) to ports other than 80.
****************************************

*****From Larry Masinter****************
It seems like bad design methodology to base protocol design on
a few special cases. So, try to decide in general whether allowing
HTTP connections to port 38 is a good idea, ignoring whether or not
there's one or two HTTP servers that listen on port 38.

In fact, it would be lovely to suggest a couple of blocks of 'HTTP
port numbers', and ask everybody to migrate their usage to those.
(Well, for example, , how about 80-85 and 1080-1085?).

It would take a little while to transition, but then we'd get better
usage statistics, error checking, and less interference with other
protocols.

*******************************

Agreed, though I don't know if we need to restrict on the higher
range. If we have a need for more than one port under 1024, let's
get IETF to register them:

***********From Ed Vielmetti***************
If you are going to use low numbered IP ports (e.g 81, 82, 83) for
HTTP then you should register that usage with the Internet Assigned
Numbers Authority (iana@venera.isi.edu).

You have no way of guaranteeing that these low numbered ports will
not be assigned in the future to some other official network service,
and you will be unhappy when that happens.
*********************************

I assume that port 80 is already assigned by this group to http.

Consensus? To allow some flexibility, maybe we could have a Makefile
parameter for "acceptable ports".

Rich Brandwein