Re: [whatwg/fetch] Consider shifting the "bad port list" to an allowlist. (#1189)

Regarding the table: between [Alt-Svc](https://tools.ietf.org/html/rfc7838) and [SVCB/HTTPS](https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-02), the bad port list needs to be applied not just at URLs, but also at the endpoint we actually connect to. Otherwise any protocol-confusion attacks can just as easily apply after the redirect.

I don't think either feature invalidates the numbers in the original report, since they're fairly rare and, for now, merely alternate routes one can safely ignore. (Though, with [ECH](https://tools.ietf.org/html/draft-ietf-tls-esni-09) in SVCB/HTTP, that will later no longer be the case.) But if the intent is to bound the use of arbitrary ports, which I agree seems prudent given all this mess, that's probably some feedback to the IETF that to stop building unbounded port redirection into everything. (@bemasc @ericorth FYI)

The other wrinkle is Alt-Svc and SVCB/HTTP specify not just TCP ports but also UDP ports for QUIC (@DavidSchinazi FYI). Protocols that run on the two ports don't coincide as much, so we may want to treat them differently? (Fortunately, QUIC is a lot less malleable than cleartext HTTP. Unfortunately, it probably still is malleable enough under chosen plaintext scenarios like the web. Fortunately most random protocols are TCP anyway.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1189#issuecomment-794117095

Received on Tuesday, 9 March 2021 16:24:27 UTC