[linux-elitists] Yet another mozilla atrocity
Sun Sep 28 21:05:10 PDT 2003
On Sun, 28 Sep 2003, Michael Bacarella wrote:
> > It's not the job of a browser to block ports! Idiots.
> "On 08/15/2001, Cert issued a Vulnerability Note VU#476267 for
> a "Cross-Protocol" scripting attack, known as the HTML Form Protocol
> Attack which allowed sending arbitrary data to most TCP ports. A simple
> exploit of this hole allows an attacker to send forged unsigned mail
> through a mail server behind your firewall: A really nasty hole.
> "Mozilla quickly responded by modifying how protocols can access ports.
I stand by my statement. It's not the job of a browser to block access
to ports, unless it's the wish of the user to block that sort of access
via ActiveX controls, Java, or a similar mechanism. But that's not the
same as the original poster's complaint, which as I understand it was
typing in something like "http://site.com:901" and having that blocked by
the browser implicitly. *That* is what I call dumb.
> They're not saying "no one would need to run an http server on this
> port, lets disable them!", they're saying "it'd be really REALLY bad
> if we let any web site send data to any host behind your firewall".
So? And when is it the job of the browser to block those ports? It's
*not*, which is why I was so strong in my statement.
> Fortunately, if you need to access these ports, there are instructions
> on enabling access not six pararaphs down.
Disabling access via ActiveX controls and the like by default is a matter
of opinion - but I shouldn't have to read a web site or a security
advisory to turn back on what Iwanted on in the first place.
> Perhaps you should watch who you call idiots.
I did, which is why I said it in the first place. Perhaps my choice of
wording was not precise - perhaps "arrogant fools" would be a better fit?
Any programmer who presumes to make choices for a user and then not allow
them an easy way to reverse those choices (unless there's a very good
reason to make it hard to do) is arrogant - and a fool.
More information about the linux-elitists