To: Ned Freed <NED@innosoft.com> Cc: Larry Masinter <firstname.lastname@example.org>, email@example.com Subject: Re: Predraft of a new URL scheme: mailmsg In-Reply-To: Your message of "Thu, 05 Jan 1995 12:39:54 MST." <01HLHKVL7ZL68ZDW0P@INNOSOFT.COM> Date: Thu, 05 Jan 1995 17:55:35 -0500 Message-Id: <firstname.lastname@example.org> From: Marc VanHeyningen <email@example.com> > > > ... and a list of standard ports to shun should probably be added. > > > I don't think anyone was able to generate one, although I remember it > > being discussed. What ports do YOU think should be shunned? Ah... The plan to put together a list of Dangerous, Insecure Ports; I call it the DIP list. > Hmm. Well, on inspection there really aren't that many. I don't think any port > that could prove useful should be banned. For example, I suppose that use of > the echo port in a URL could provide a useful test service. > > This leaves the following ports that are clearly either useless or potentially > harmful: > > discard 9/tcp Discard > chargen 19/tcp Character Generator > smtp 25/tcp Simple Mail Transfer > domain 53/tcp Domain Name Server > kerberos 88/tcp Kerberos > snmp 161/tcp SNMP I'd add NNTP as well, assuming forging news as a problematic as forging mail. Unfortunately, there are hundreds of protocols, registered and unregistered, and I somehow doubt anybody would want to analyze them all for security concerns. When this was brought up before, it was pointed out a number of people use nonstandard ports for their information servers if they need to run multiple servers on the same machine for some reason; for instance, multiple HTTP servers would run on port 81, 82, 83... Fortunately, this practice is declining now, but I expect there's somebody somewhere using at least some of these ports for something. The question is whether it's common enough that we should have to worry about it. I hope not.