Bug 14538 - Network port blocking breaks internet banking on major Estonian bank
Summary: Network port blocking breaks internet banking on major Estonian bank
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P2 Major
Assignee: Nobody
URL: https://www.hanza.net/cgi-bin/hanzanet
Keywords: InRadar, Regression
Depends on:
Blocks:
 
Reported: 2007-07-06 02:43 PDT by Mark Rowe (bdash)
Modified: 2011-05-22 02:08 PDT (History)
7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2007-07-06 02:43:20 PDT 
As noted in bug 14100, hanza.net uses port 563 for its HTTPS communication when the user chooses to authenticate via a government-issued smartcard. The port blocking added to resolve <rdar://problem/4429701> causes the page load to fail with the mesasge:
"Not allowed to use restricted network port" (WebKitErrorDomain:103)

To reproduce this:
1) Visit the URL above.
2) Click "Sisene ID-kaardiga".

Arguably the correct solution here would be to evangelize the bank as using port 563 (NNTPS) for HTTPS traffic is a rather odd thing to be doing in the first place.
Comment 1 Mark Rowe (bdash) 2007-07-06 02:46:12 PDT 
<rdar://problem/5316601>
Comment 2 David Kilzer (:ddkilzer) 2007-07-07 12:54:41 PDT 
See Bug 14100 Comment #8.
Comment 3 Maciej Stachowiak 2007-07-10 00:07:34 PDT 
It sounds like the bank is willing to fix this. Downgrading to P2.
Comment 4 Robert Snyder 2010-06-18 08:34:22 PDT 
This problem has returned in Safari 5
Comment 5 Brady Eidson 2010-06-18 09:12:57 PDT 
(In reply to comment #4)
> This problem has returned in Safari 5

Did the steps to reproduce change?  From the first comment...

> To reproduce this:
> 1) Visit the URL above.
> 2) Click "Sisene ID-kaardiga".

I don't see these on the page anymore.
Comment 6 Brady Eidson 2010-06-18 09:14:47 PDT 
AFAIK, the only substanative change to the port blocking mechanism that shipped in Safari 5 was the addition of ports 6665-6669 to the blacklist.  Does the bank use one of these...?
Comment 7 Indrek Siitan 2010-06-20 01:45:22 PDT 
Swedbank (formerly Hansabank) has changed their website, so that the smartcard login is now at https://id.swedbank.ee using the standard SSL port 443, so this is no longer an issue.

I guess Robert has hit a similar issue with some other site.
Comment 8 Robert Snyder 2010-06-21 06:02:45 PDT 
We use port 6666. I am fine if they want to warn uses if they encounter web sites on odd ports, and then allow the user to override that warning if the user knows it is a safe site. But we use browsers on odd ports regularly. What is the issue with allowing users to access any port they wish?
Comment 9 Terje Bless 2011-05-22 02:08:54 PDT 
(In reply to comment #6)
> AFAIK, the only substanative change to the port blocking mechanism that shipped in Safari 5 was the addition of ports 6665-6669 to the blacklist.  Does the bank use one of these...?

*sigh* I just ran into this while setting up ZNC, an IRC proxy/bouncer. It is desireable to set it up to listen on port TCP/6667—the common port for IRC serveres—so that IRC clients can mostly use the default provided port number; but ZNC also provides a web-based administration interface on the same port (i.e. https://znchost.example.com:6667/). And, as you note, Safari 5 now cannot connect to this port.

You cannot in general prevent arbitrary port numbers. Even the ports registered with IANA for a protocol are only the “well-known” port numbers; there is no general requirement that a service listen only on those ports. There are also about a million different use cases for running services on arbitrary ports; the above being a case in point, a per-user service (which means either the IP or port has to be unique) where the well-known port is not available (normal users cannot bind() to ports TCP/80,443).