[whatwg/fetch] Consider shifting the "bad port list" to an allowlist. (#1189) from Mike West on 2021-03-09 (public-webapps-github@w3.org from March 2021)

From: Mike West <notifications@github.com>
Date: Mon, 08 Mar 2021 23:47:07 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1189@github.com>

Given the drip-by-drip expansion of the bad port list over time, I wonder whether it's reasonable to invert the list. Skimming through HTTP Archive, for example, ~99.94% of URLs requested are using the default port, and a substantial amount of the rest are specifying well-known ports like 8080, 8443, 444, 8090, 8081, 81, 8000, 443, and so on.

Given that we know there's real risk here, perhaps coming up with a feasible allowlist (with user-agent specific carveouts via devtools and/or enterprise policy) would be a good use of our time?

The following HTTP Archive query:

```
SELECT
  REGEXP_EXTRACT(url, CONCAT(NET.HOST(url), ":([0-9]+)")) as port,
  COUNT(*) as num,
  count(*) * 100.0 / sum(count(*)) over() as percent
FROM
  `httparchive.requests.2021_02_01_desktop`
GROUP BY
  port
ORDER BY
  num DESC
LIMIT 50
```

yields:

Port | Percent
----------|----------
null | 99.943
8080 | 0.0076206
8443 | 0.0038307
444 | 0.0018087
8090 | 0.0014097
8081 | 0.0012318
11103 | 0.00096948
3000 | 0.00090611
81 | 0.00090592
8000 | 0.00073031
4433 | 0.00068932
8901 | 0.00066261
4450 | 0.00062426
2083 | 0.00061899
44444 | 0.00059304
443 | 0.00054886
8082 | 0.00054190
8888 | 0.00049884
10010 | 0.00048211
9443 | 0.00046970
3001 | 0.00045334
8123 | 0.00044130
5000 | 0.00042758
4200 | 0.00041498
6001 | 0.00040445
7767 | 0.00038001
2096 | 0.00037004
4443 | 0.00033131
8083 | 0.00032980
446 | 0.00032924
442 | 0.00032172
8088 | 0.00031326
10001 | 0.00030630
82 | 0.00028016
61122 | 0.00027922
7777 | 0.00027659
10443 | 0.00027245
88 | 0.00026230
85 | 0.00024425
8181 | 0.00023729
9000 | 0.00022451
3002 | 0.00022394
8093 | 0.00022169
8099 | 0.00020758
2053 | 0.00020476
9090 | 0.00020232
8085 | 0.00020119
5001 | 0.00019875
1443 | 0.00019856
335 | 0.00019611

Based on this initial sampling, it might not be crazy to build an allowlist of the top XXX ports in actual usage today, and then cull it over time.

/cc @MattMenke2 @ricea @mozfreddyb @youennf to follow up on https://github.com/whatwg/fetch/pull/1148 and https://groups.google.com/a/chromium.org/g/blink-dev/c/kyVo08TtOp8/m/nu4B94LcCAAJ.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1189

Received on Tuesday, 9 March 2021 07:47:20 UTC