Re: solution time for www/smtp hole

rhb@hotsand.att.com
Fri, 13 Aug 93 14:16:10 EDT


>
> My apologies, I sent this to Marc personally the first time.
>
> On Fri, 13 Aug 93 01:27:32 -0500 Marc Andreessen wrote:
> > With that in mind, suppose we take the approach of only outlawing a
> > few ports as opposed to restricting the valid range to a given set
> > (both approaches have been suggested). What ports other than 25
> > should be outlawed?
>
> I don't think that exclusion is the way to go. If we're going to exclude
> any services listed in the Assigned Numbers RFC (rfc1340 right now) that
> look like they might be dangerous, we'd better exclude 71-74 (Remote Job
> Service), 82 (XFER Utility), etc. Most of the "funky" ports that are
> currently in use are already officially assigned to something else, and
> when you connect to port 82 on joe.random.host you can't be sure whether
> you're getting the XFER utility or the httpd that someone stuck on some
> random port.
>
> With exclusion, you can never be sure that you excluded enough.
>
> Yes, it will require people to redo their configurations, but arguably,
> any configuration with an HTTP server running on a port <1024 != 80 is
> wrong. I think that any non-experimental additional HTTP servers should
> either get assigned numbers from the IANA or use ports >1024 .

Once again, let me jump in and agree and point out that today's Friday the 13th
(let's fix it before a black cat crosses our path...). Since 81-85 ports
seem to be assigned, the use of port 80 only (and >1024 seems fine). Let's
get the thing fixed "officially" before the "cat's out of the bag". I would
have liked to have avoided distributing multiple fixes, but the process seems to
have failed.

Rich Brandwein