[HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 16 July 2010 19:20 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 881133A6991 for <hasmat@core3.amsl.com>; Fri, 16 Jul 2010 12:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.257
X-Spam-Level:
X-Spam-Status: No, score=-0.257 tagged_above=-999 required=5 tests=[AWL=-0.407, BAYES_40=-0.185, IP_NOT_FRIENDLY=0.334, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFs0UAMCVRu8 for <hasmat@core3.amsl.com>; Fri, 16 Jul 2010 12:20:13 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id A45983A6ADE for <hasmat@ietf.org>; Fri, 16 Jul 2010 12:20:13 -0700 (PDT)
Received: (qmail 15747 invoked by uid 0); 16 Jul 2010 19:20:25 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 16 Jul 2010 19:20:24 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=w32EPdnIwCzt8xyEcM1LG2BRTPHj1c7cwq6kaUruU5wno+ct+wbbwF+I6gFH7uAAhYuADZYWeVuQ9/CtYwdZ/DQfCfZPnQo3/QiaRegDqRm2HmX9/mLIIePbt+rFnyHa;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OZqSO-0003l9-PS for hasmat@ietf.org; Fri, 16 Jul 2010 13:20:24 -0600
Message-ID: <4C40B0F7.4010008@KingsMountain.com>
Date: Fri, 16 Jul 2010 12:20:23 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF HASMAT list <hasmat@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2010 19:20:14 -0000
Comment 51 Kai Engert <kaie@kuix.de> 2010-07-13 17:23:36 PDT https://bugzilla.mozilla.org/show_bug.cgi?id=495115#c51 One more detail which I don't see addressed in the spec yet: port numbers! IMHO the primary key should not be "host", but "host:port". Also, what happens if the server choses to issue an redirect to a non-standard port number? The current code is hard-coded to always construct STS-host uris to the default port (-1 = 443). The current code will fail if a STS-host choses to redirect to https://www.host.com:444 The current code will do funky things if there are two separate http servers running on the same host, e.g. - http://host.com/ (default 80) and - http://host.com:8080 This configuration is often used on web servers, where the default port is the actual server, and the additional port is a web-site-maintenance interface. Let's say www.site.com is using port 80 for the public web and is used to redirect to 443. www.site.com is behind a firewall and won't allow connections to ports other than 80 and 443 from the outside world. www.site.com has a plain http maintenance interface on port 8080. I think with the current code, it's impossible to connect to http://www.site.com:8080, because our http engine will always catch that request and redirect to https://www.site.com:443/ If you want to keep it simple, and only address the standard configuration, my proposal is: - restrict the redirection to http requests that go to port 80 --- end
- [HASMAT] wrt port numbers - comment 51 bug 495115… =JeffH
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… =JeffH
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Steingruebl, Andy
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Devdatta Akhawe
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Steingruebl, Andy
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Steingruebl, Andy
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Kai Engert
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Dan Winship