[linux-elitists] Yet another mozilla atrocity

Ed Carp erc@smi.kicks-ass.net
Sun Sep 28 21:05:10 PDT 2003


On Sun, 28 Sep 2003, Michael Bacarella wrote:

> > It's not the job of a browser to block ports!  Idiots.

> "On 08/15/2001, Cert issued a Vulnerability Note VU#476267  for
> a "Cross-Protocol" scripting attack, known as the HTML Form Protocol
> Attack which allowed sending arbitrary data to most TCP ports. A simple
> exploit of this hole allows an attacker to send forged unsigned mail
> through a mail server behind your firewall: A really nasty hole.
>
> "Mozilla quickly responded by modifying how protocols can access ports.

I stand by my statement.  It's not the job of a browser to block access
to ports, unless it's the wish of the user to block that sort of access
via ActiveX controls, Java, or a similar mechanism.  But that's not the
same as the original poster's complaint, which as I understand it was
typing in something like "http://site.com:901" and having that blocked by
the browser implicitly. *That* is what I call dumb.

> They're not saying "no one would need to run an http server on this
> port, lets disable them!", they're saying "it'd be really REALLY bad
> if we let any web site send data to any host behind your firewall".

So?  And when is it the job of the browser to block those ports?  It's
*not*, which is why I was so strong in my statement.

> Fortunately, if you need to access these ports, there are instructions
> on enabling access not six pararaphs down.

Disabling access via ActiveX controls and the like by default is a matter
of opinion - but I shouldn't have to read a web site or a security
advisory to turn back on what Iwanted on in the first place.

> Perhaps you should watch who you call idiots.

I did, which is why I said it in the first place.  Perhaps my choice of
wording was not precise - perhaps "arrogant fools" would be a better fit?
Any programmer who presumes to make choices for a user and then not allow
them an easy way to reverse those choices (unless there's a very good
reason to make it hard to do) is arrogant - and a fool.



More information about the linux-elitists mailing list