Bug 14538
| Summary: | Network port blocking breaks internet banking on major Estonian bank | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Rowe (bdash) <mrowe> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Major | CC: | ap, beidson, link, markmalone, mrowe, rsnyder, tfr |
| Priority: | P2 | Keywords: | InRadar, Regression |
| Version: | 523.x (Safari 3) | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
| URL: | https://www.hanza.net/cgi-bin/hanzanet | ||
Mark Rowe (bdash)
As noted in bug 14100, hanza.net uses port 563 for its HTTPS communication when the user chooses to authenticate via a government-issued smartcard. The port blocking added to resolve <rdar://problem/4429701> causes the page load to fail with the mesasge:
"Not allowed to use restricted network port" (WebKitErrorDomain:103)
To reproduce this:
1) Visit the URL above.
2) Click "Sisene ID-kaardiga".
Arguably the correct solution here would be to evangelize the bank as using port 563 (NNTPS) for HTTPS traffic is a rather odd thing to be doing in the first place.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mark Rowe (bdash)
<rdar://problem/5316601>
David Kilzer (:ddkilzer)
See Bug 14100 Comment #8.
Maciej Stachowiak
It sounds like the bank is willing to fix this. Downgrading to P2.
Robert Snyder
This problem has returned in Safari 5
Brady Eidson
(In reply to comment #4)
> This problem has returned in Safari 5
Did the steps to reproduce change? From the first comment...
> To reproduce this:
> 1) Visit the URL above.
> 2) Click "Sisene ID-kaardiga".
I don't see these on the page anymore.
Brady Eidson
AFAIK, the only substanative change to the port blocking mechanism that shipped in Safari 5 was the addition of ports 6665-6669 to the blacklist. Does the bank use one of these...?
Indrek Siitan
Swedbank (formerly Hansabank) has changed their website, so that the smartcard login is now at https://id.swedbank.ee using the standard SSL port 443, so this is no longer an issue.
I guess Robert has hit a similar issue with some other site.
Robert Snyder
We use port 6666. I am fine if they want to warn uses if they encounter web sites on odd ports, and then allow the user to override that warning if the user knows it is a safe site. But we use browsers on odd ports regularly. What is the issue with allowing users to access any port they wish?
Terje Bless
(In reply to comment #6)
> AFAIK, the only substanative change to the port blocking mechanism that shipped in Safari 5 was the addition of ports 6665-6669 to the blacklist. Does the bank use one of these...?
*sigh* I just ran into this while setting up ZNC, an IRC proxy/bouncer. It is desireable to set it up to listen on port TCP/6667—the common port for IRC serveres—so that IRC clients can mostly use the default provided port number; but ZNC also provides a web-based administration interface on the same port (i.e. https://znchost.example.com:6667/). And, as you note, Safari 5 now cannot connect to this port.
You cannot in general prevent arbitrary port numbers. Even the ports registered with IANA for a protocol are only the “well-known” port numbers; there is no general requirement that a service listen only on those ports. There are also about a million different use cases for running services on arbitrary ports; the above being a case in point, a per-user service (which means either the IP or port has to be unique) where the well-known port is not available (normal users cannot bind() to ports TCP/80,443).