Furious at Firefox

  • Posted on: 30 December 2006
  • By: agittins

Oh. My. God. I can't even begin to describe how insanely stupid this is. I just went to open a site in Firefox (since it wasn't rendering in Konqueror quite right) and I get greeted by the most stupid error message I think I've ever seen:

"This address is restricted: This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection."

And to add insult to injury, there's a "Try again" button which will kindly display the same error message for you again.

I'm sorry, but since when does a web-browser know what ports are safe and what are not? This is utter rubbish, snake-oil security. There is no security benefit in blocking certain ports - that's a local site policy decision, not some safety panacea. Whoever thought of this needs to wake up and smell the coffee, you are not the security genius you think you are, moron.

To make matters worse, there is no existing configuration setting where you can disable this behaviour. In fact, you can't even disable it outright as far as I can see. What you can do though is add a new setting in the about:config page and define a list of ports you want to allow. Oh great, so we've got to nit-pick around for every port we come across. Or so it seems - it turns out that the setting also accepts port ranges. Ahh... now that makes things a bit easier, we can just allow every port in existence. Ok, so let's undo the braindamage that some mouth-breathing snotty nosed excuse of a mozilla developer (or a whole team of them) has done:

  • Go to about:config in your Firefox browser.
  • Right click somewhere, and choose "New => String"
  • In the setting Name box type "network.security.ports.banned.override"
  • In the Setting Value box, type "1-65535". Yep, that's all of 'em
  • Click OK

Now that "Try Again" button is useful - bang it and see if your page loads properly.

The good news is that someone has already logged a bug against this "feature" calling for it to be removed or at least have an existing config option to control it. The bad news is that removing it altogether doesn't sound like a likely response, something about protecting intranets from internal probing - come on, that really isn't Firefox's problem. If people stop using firefox and go back to IE then the firefox team have actually made things less safe, if indirectly. Anyway, go and vent here: https://bugzilla.mozilla.org/show_bug.cgi?id=341636.

Comments

>> There is no security benefit in blocking certain ports
>In short: There is such a benefit.

Perhaps I was over the top saying there's no benefit - perhaps there is, but the way it is implemented in firefox is a net loss.

Why not just address the issue at the forms level? This is where the real abuse is potentially done. Throw up a warning (or disable the form) when a form's method uses a different host/protocol than the one used to get the source page. This way users can still access services on specific non-standard ports, and they are protected by attempts by external sites to access intranet (or other) services on other protocols. Blocking a list of near-arbitrary ports does not seem to be an elegant or well-considered solution.

Definitely right - blocking every single port other than 80 is quite literally stupid. Even those bugtrak lists state it only affects ascii based protocols like SMTP, NNTP, POP3, IMAP, IRC, so why not just block those standard ports that could be affected - it is the lookout of the administrator of these systems to protect them if he chooses to use non-standard ports. But after finding out that OWA access is being blocked at all our clients sites from Firefox because it uses port 95 has quite rightly peed me right off with unneccessary work, to fix a Firefox kludge solution.

This *can* be a useful security feature. Imagine if I put a bunch of images sourced at http://your.server.com:23 on a popular webpage. You would have your telnetd crushed, pretty anonymously.

I think almost all web-browsers blocked requests to port 23 even back in 2001, so this isn't exactly a new idea.

Of course, the reason I'm here is because I'm trying to work around it, and google led me to your door. This particular implementation is obviously obnoxious. . .

Sure, but all my telnetd would get is a bunch of invalid logins, it wouldn't be a taxing situation. You could just as easily link to stuff on port 80, in which case my web server would have to reply with 404 pages, an even greater load than a few telnet attempts as "HTTP/1.1". What's the point? Indeed, the telnet attempts would eventually be throttled by xinetd or similar for being clearly spammy attempts, while the web server will quite happily build and send a reply to every single request.

Firefox the best!

I was testing Openbravo and faced the block port issue, but thanks to your easy step config it works like a charm, thanks man.

I just found this issue. I cant believe how annoying that was. Thanks for the fix man!

First think I did when this cropped up was: I switched to Opera.
Second was that I found your blog. Thanks for this

I just ran across this problem while I was testing some services on nonstandard ports. Thanks for posting the config.

well.. this port blocking they still have in latest final firefox 3. -still NO configuration for average user, this port thing is easy to fix for ppl like us but can average user understand how to do it? Of course not!

"This address uses a network port which is normally used for purposes other than Web browsing. Firefox has cancelled the request for your protection" ... opera will let u access it white out a problem. While in firefox, first u need to go advanced config, manually add port exception string, then add ports, then u get "portaal.riik.ee:563 uses an invalid security certificate" (this is Estonia xPortal - (x-tee) access banks, taxes, everything else) - so it IS (really)secure ...
then u need to add exception for that.... then u get "The certificate is not trusted because the issuer certificate is not trusted." after clicking next link in same aaddres... need to click "Or you can add an exception..." then "get certificate"... accept it... ohh... i wanna see average user who will do it instead using internet explorer (because they just think "firefox is not working" ... ). I have so many clients who has done that, its just sad (well - this info was for estonians who google x-tee sertifikaat probleem )

Well yeah.. only reason i use firefox for certain ad-sites (like facebook etc) is because of their ABP & element helper plug in & for some site who uses some messed up scripts, other then that i will use Opera only (i turn off internet access for explorer & media player for all my client computers lol).

Hi,

Thanks for the settings. I googled this error and found your site.

I agree it's pretty lame security ;)

Ya its really rediculous. but thanks to u that i can solve my problem. really thanks.

Thnx. Helped me get pass that stupid message. Half-donkey solution by inane programmer that is...

The Firefox Port fix did not work for me. I did exactly as instructed and it still does not work. I have a recent upgrade of Firefox.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.