When did browsers start refusing to load pages from "unsafe" port numbers?

Toggle sidebar Toggle sidebar
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
I tried to demonstrate to someone that our ISP doesn't block any ports. I was going to email a bunch of links to a web server running on my home computer. Only a couple of the links I tested would work (80, 443).


http://[ip]:21
http://[ip]:25
http://[ip]:80
http://[ip]:110
http://[ip]:143
http://[ip]:443
http://[ip]:465
http://[ip]:587
http://[ip]:993
http://[ip]:995


2014-08-14_browsers_block_ports_00_config.png


2014-08-14_browsers_block_ports_01_chrome.png


2014-08-14_browsers_block_ports_02_ie.png

IE isn't helpful at all. It doesn't even say why it failed.

2014-08-14_browsers_block_ports_03_firefox.png



When did this practice start?

I changed the configuration in the router to forward everything to 3389 instead of 80 and tested with the remote desktop client (mstsc /v:[IP]:[port]). Every port worked fine.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,621
126
Since the browser developers realized:

1) Almost nobody ever has to do that.
2) They are smarter than us.

But most of those ports are reserved for non-http services. As you discovered, higher random port numbers are fine.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
dave_the_nerd said:
Since the browser developers realized:

1) Almost nobody ever has to do that.
2) They are smarter than us.

But most of those ports are reserved for non-http services. As you discovered, higher random port numbers are fine.
Click to expand...

QFT, the reasons should be obvious OP.

Most people that would be redirected to these are going to probably be getting hacked or worse.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
dave_the_nerd said:
Since the browser developers realized:

1) Almost nobody ever has to do that.
2) They are smarter than us.

But most of those ports are reserved for non-http services. As you discovered, higher random port numbers are fine.
Click to expand...

The thing is, I wanted to demo that these specific ports were unblocked in a universal way that would work from any device with a web browser. I could not do that.

My question wasn't "why" (I know why). I didn't know when this practice started or how it was coordinated between them all. I really think it should just be a warning and a single click to bypass - with a user-confiurable preference to suppress the warning in the future.

VirtualLarry said:
tools like web browsers shouldn't impose rules on how they are used.
Click to expand...
In general, this is the way I feel about most software with artificial restrictions.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
alkemyst said:
QFT, the reasons should be obvious OP.

Most people that would be redirected to these are going to probably be getting hacked or worse.
Click to expand...

Didn't ask "why." I know why.

I asked "when?" I'm specifically curious about how this was coordinated between the major browsers. I'd also like to know why Internet Explorer shows a misleading error and Chrome makes me show details to get an appropriate description of the error.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,621
126
I have no idea, but you could load a URL with a blocked port number into browsershots.org and see which versions fail.

If you want to come up with "live" proof that X Y or Z port is unblocked, just create a little shell script that tests telnet on a list of ports and reports back the results in realtime. If you want to get fancy, integrate it into a javascript-ey web page with animations and crap.
 
VirtualLarry

VirtualLarry

No Lifer
Aug 25, 2001
56,587
10,225
126
alkemyst said:
So should an OS follow the same metrics and be open to the world by default.
Click to expand...

I think that it would be more akin to an OS that doesn't let you install any program you want to, instead, you have to go through some sort of "approved" method, like an App Store. Which I also detest.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
There are ways to open up you browsers, if you need it done; YOU SHOULD KNOW.

For most businesses / homes, safer is better.

I open stuff up for me and know my fiancee and our kids are still locked down from doing anything too exploitable online.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,621
126
VirtualLarry said:
But, how is a client blocking ports "safer"? It just breaks the internet. This isn't like a firewall.
Click to expand...

It's not breaking anything. It's just the web browser refusing to do things on specific, "reserved" ports that it, a web browser, should have no business accessing.

So if I try to connect to a server with http on port 21, Chrome will quite rightly say, "no, I don't do that, you are bad and you should feel bad." But Chrome doesn't go behind my back and disable my ftp client. I can still use that to do what I need to do on port 21. If I need to access http traffic on port 21, I screwed up. If somebody else is running http on port 21, they need a kick in the face.

Compare the following:

ftp://ftp.iinet.net.au/pub/ubuntu-releases/
ftp://ftp.iinet.net.au:80/pub/ubuntu-releases/
ftp://ftp.iinet.net.au:21/pub/ubuntu-releases/
http://ftp.iinet.net.au/pub/ubuntu-releases/
http://ftp.iinet.net.au:80/pub/ubuntu-releases/
http://ftp.iinet.net.au:21/pub/ubuntu-releases/

This is only an issue for people who confuse their web browser with their operating system.
 
Last edited:
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
dave_the_nerd said:
It's not breaking anything. It's just the web browser refusing to do things on specific, "reserved" ports that it, a web browser, should have no business accessing.

So if I try to connect to a server with http on port 21, Chrome will quite rightly say, "no, I don't do that, you are bad and you should feel bad." But Chrome doesn't go behind my back and disable my ftp client. I can still use that to do what I need to do on port 21. If I need to access http traffic on port 21, I screwed up. If somebody else is running http on port 21, they need a kick in the face.

Compare the following:

ftp://ftp.iinet.net.au/pub/ubuntu-releases/
ftp://ftp.iinet.net.au:80/pub/ubuntu-releases/
ftp://ftp.iinet.net.au:21/pub/ubuntu-releases/
http://ftp.iinet.net.au/pub/ubuntu-releases/
http://ftp.iinet.net.au:80/pub/ubuntu-releases/
http://ftp.iinet.net.au:21/pub/ubuntu-releases/

This is only an issue for people who confuse their web browser with their operating system.
Click to expand...

Well, doing it for diagnostic purposes (as I was doing) is not an illegitimate reason. Hosting services on ports not standardized for that protocol is another way to analyze traffic shaping on a network.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
dave_the_nerd said:
It's not breaking anything. It's just the web browser refusing to do things on specific, "reserved" ports that it, a web browser, should have no business accessing.

So if I try to connect to a server with http on port 21, Chrome will quite rightly say, "no, I don't do that, you are bad and you should feel bad." But Chrome doesn't go behind my back and disable my ftp client. I can still use that to do what I need to do on port 21. If I need to access http traffic on port 21, I screwed up. If somebody else is running http on port 21, they need a kick in the face.

Compare the following:

ftp://ftp.iinet.net.au/pub/ubuntu-releases/
ftp://ftp.iinet.net.au:80/pub/ubuntu-releases/
ftp://ftp.iinet.net.au:21/pub/ubuntu-releases/
http://ftp.iinet.net.au/pub/ubuntu-releases/
http://ftp.iinet.net.au:80/pub/ubuntu-releases/
http://ftp.iinet.net.au:21/pub/ubuntu-releases/

This is only an issue for people who confuse their web browser with their operating system.
Click to expand...

You get it.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,621
126
Ichinisan said:
Well, doing it for diagnostic purposes (as I was doing) is not an illegitimate reason. Hosting services on ports not standardized for that protocol is another way to analyze traffic shaping on a network.
Click to expand...

Then use the right tool for the job. (Chrome is, imho, never the right tool for any job anyway, but I digress.)

You can, as mentioned, use telnet to confirm basic TCP connectivity on an arbitrary port. I don't have a whole lot of experience with traffic analyzers, but I imagine they'd let you specify ports.

Hell, you could even set up a local SSH tunnel and remap your outgoing port 80 traffic to port 21, 23, 443, etc., before it leaves your box. (Chrome would never be the wiser.)
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,621
126
Oh, you can also set up an override in Firefox.

https://www.redbrick.dcu.ie/~d_fens/articles/Firefox:_This_Address_is_Restricted

It seems as a security touch to Firefox it is now blocking non standard HTTP ports. Kinda of annoying really. To override this type this in the address bar about:config and search for network.security.ports.banned.override. This may or may not exist, if it doesn’t, right click anywhere in the window and select new->string and use network.security.ports.banned.override as the name and the port number you need to connect to as the value. You can also select a range of ports by using 1-1024 as such a value or as a CSV style values such as 1024, 8080, 1-1000, 80… et cetera.
Click to expand...

I tried it and it works.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom