Re: [whatwg/fetch] Consider shifting the "bad port list" to an allowlist. (#1189)

I'm trying to understand what the point of enshrining such a blocklist or allowlist in the long term is—I understand that it's useful for the web platform to be part of a coordinated incident response to individual vulnerabilities in this area, but isn't the ultimate responsibility on the NAT firewalls in question to close the hole created by their improper parsing of of these protocols? We're never going to fix this problem by blacklisting or allow-listing specific ports if the broken NAT and ALG system remain in place and continue to be developed. In that way, this type of attack is very similar to HTTP Request smuggling—there just isn't enough information on the client side to be able to block it comprehensively.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1189#issuecomment-795605862

Received on Wednesday, 10 March 2021 15:29:38 UTC