Should we block port 10080? #1191
Comments
Tests: web-platform-tests/wpt#27990. Follow-ups: #1189 & #1191. Fixes part of #544.
|
Summarising what we know so far:
Did I miss anything? |
|
Additional information:
|
|
I adapted the SQL at #1189 (comment) to look only at ports that end in "080". This gives the following results:
Percentages are as a proportion of only the ports that end in "080". 10080 is in 6th place among this set of ports. What this means is subject to interpretation. Usual caveats of using data from the HTTPArchive apply. |
|
Thanks for summarizing again, @ricea.
I was originally under the impression that @samyk had found a product that intercepted port 10080. But IIRC he pointed to the linux conntrack module and that clearly looks at UDP only. Are we missing something here, Samy? Happy to leave 10080 as unblocked (and revert our block Firefox) Adam's summary remains correct. |
Looks like I was wrong about this, since nf_conntrack_amanda.c exists. Sorry. The other items still appear to be correct. |
|
@mozfreddyb Hey there, I don't know of anything that explicitly uses TCP 10080, but I also suspect some software may blindly perform ALG on both UDP/TCP thus was suggesting both for safety. However I do see the value of the |
|
Unfortunately, it looks like it is easy to get the client to send arbitrary plaintext with QUIC: https://groups.google.com/a/chromium.org/g/proto-quic/c/KVqeA9q0OAc/m/-NxF0hkqCAAJ So we have to block port 10080 for UDP at least. I think the option of doing nothing is no longer on the table. Currently in Chrome blocking a port for only QUIC is not something that's implemented, but I'm sure I could work it out if that's the way we decide to go. |
|
@ricea slightly off-topic, but should port blocking apply to WebTransport then? I've been thinking that we should move it into the obtain a connection section, also to account for Alt-Svc. And then if WebRTC also obtains a connection through Fetch we can squash all these issues in one place. |
Yes, definitely. |
|
My current tentative plan is to block 10080 in Chrome but to add an enterprise policy first so that admins can override the block. This means it will take a couple of week and I won't be backporting the block to older versions. |
|
(@vasilvv for WebTransport.) |
|
I've sent an intent to implement and ship a block on port 10080: https://groups.google.com/a/chromium.org/g/blink-dev/c/CNpLNXx2wf0/m/Ehi3cx1YAQAJ I can retract it if there is disagreement here, but I have convinced myself of the necessity and I would like to move ahead with a block. |
|
That's great. With Chrome and Firefox blocking, anyone want to update the specification and tests? |
|
@ricea, thanks for doing this. |
Tests: web-platform-tests/wpt#28445. Fixes #1191.
See Fetch Standard issue whatwg/fetch#1191 for justification and background, and https://groups.google.com/a/chromium.org/g/blink-dev/c/CNpLNXx2wf0/m/Ehi3cx1YAQAJ for the intent-to-ship thread. BUG=1197299 Change-Id: Ie664726307fef0d8578ffbaea9793b74d722b58a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2814044 Commit-Queue: Adam Rice <ricea@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#871865}
Tests: web-platform-tests/wpt#28445. Fixes #1191.
Block port 10080 See whatwg/fetch#1191 <!-- Please describe your changes on the following line: --> --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [ ] These changes fix #___ (GitHub issue number if applicable) <!-- Either: --> - [ ] There are tests for these changes OR - [ ] These changes do not require tests because ___ <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
… a=testonly Automatic update from web-platform-tests Fetch: block port 10080 See whatwg/fetch#1191. -- wpt-commits: 7b44570e46cb6e2b45231b8c38572c7695a7fd12 wpt-pr: 28445
See Fetch Standard issue whatwg/fetch#1191 for justification and background, and https://groups.google.com/a/chromium.org/g/blink-dev/c/CNpLNXx2wf0/m/Ehi3cx1YAQAJ for the intent-to-ship thread. BUG=1197299 (cherry picked from commit d6e884b) Change-Id: Ie664726307fef0d8578ffbaea9793b74d722b58a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2814044 Commit-Queue: Adam Rice <ricea@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#871865} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2830519 Auto-Submit: Adam Rice <ricea@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/branch-heads/4472@{chromium#151} Cr-Branched-From: 3d60439-refs/heads/master@{#870763}
|
Belated data about usage of port 10080 from Chrome's stable channel:
The percentages are relative to all ports affected by Slipstream vulnerabilities, so they only represent about a millionth of all requests overall. There's some bias in the data from the fact we're already blocking all these ports except for 10080. Incidentally, the block of port 10080 is shipping to stable this week in Chrome version 91. |
|
Zend Server defaults to 10080. There's been a lot of reports on mailing lists like Midrange, and certainly calls from clients at work why their Zend sites stopped working when they updated their browser. |
Not sure if this is due to running on Zend but I've seen reports of at least one captive wifi deployment being affected meaning Android users running the latest System Webview can't authenticate. |
I can confirm this breaks captive portal (“Guest Wifi”) per the above on the Linksys WRT1900AC – users cannot login after android detects captive portal and pops up native browser. See also |
As discussed in #1148 Firefox blocks this since November: https://bugzilla.mozilla.org/show_bug.cgi?id=1677940 which went to release end of January.
(See also #1189 for a completely different approach.)
cc @mozfreddyb @youennf @ricea
The text was updated successfully, but these errors were encountered: