HackerTrans
TopNewTrendsCommentsPastAskShowJobs

antimeme

no profile record

comments

antimeme
·قبل 4 سنوات·discuss
Not a LITTLE sarcastically, no.

No one has yet provided evidence that privileged ports create even a single security issue. While there's lots of huffing and puffing in the original article (including someone confusing privileged ports with IP based authentication, which is effectively dead), the closest it gets is to say that dropping privileges in a server is a pain. And then they go on to show off a one line configuration change that would disable privileged ports system wide. So do that if it makes sense for you.

What doesn't make sense would be to abandon decades of practice that real people (more than three in Finland, actually) rely upon because some people are too lazy to make a trivial change to their systems. And let's get real: 99.9% of people are never going to want to run a web server on their computers. You're just arguing that your portion of that 0.1% -- let's be a LITTLE sarcastic and call them five penguins in Antarctica! -- are more important than the rest.
antimeme
·قبل 4 سنوات·discuss
Did you... actually read the article this comment responded to? Or even the comment you're replying to? The original article proposed making all ports non-privileged because most systems serve a single user in practice. Are you really going to argue that changing the port to 8080 is insecure because someone could snipe it but making all ports non-privileged is better because... now someone can snipe 80 as well?
antimeme
·قبل 4 سنوات·discuss
Stop pretending that non-technical users want to run web servers. That's just not a thing. What you're actually arguing is that some technical users are so important that making them tweak a default setting is too much to ask, but others are so insignificant that pulling the rug out from under them after decades of practice is perfectly reasonable. I disagree.

Do you not grasp WHY Let's Encrypt requires port 80 (for one particular challenge type)? Think about that for just one second. Okay I'll spell it out for you: the convention that ports under 1024 are privileged gives Let's Encrypt some confidence that privileged ports runs services sanctioned by the system administrator and not some tenant -- which is exactly the point I was making. So thanks for providing more support for my argument, I guess?

And while we're at it, can we stop pretending you care about user experience? You can't even be bothered to type those two words! You cite no studies and make no technical arguments. All you're offering is the claim that the default you prefer "should be preferred" based on your intuition.

I probably shouldn't even dignify your claim that people think port numbers in URLs mean they're being attacked with a response, but I'll bite. Do you have even a shred of evidence for this claim or did you just make it up on the spot? Obviously the latter, but if even if it were true the solution would be to educate people about what port numbers mean. Unless you want to argue that any feature of any internet service some people are confused about should be abolished? I guess we'll have to shut the entire internet down.

Changing the port number is a perfectly reasonable solution for many use cases, but it's far from the only option. Alternatives include CAP_NET_BIND_SERVICE, net.ipv4.ip_unprivileged_port_start, port mapping in containers and many more. Pick your favorite and stop wasting everyone's time.
antimeme
·قبل 4 سنوات·discuss
This article is nonsense. Privileged ports are a security feature. They have literally nothing to do with mainframes. On multi-user systems, they're incredibly important because they give external clients confidence that the services provided on them are authorized by the system and not just by any user -- some of whom may not be as trustworthy as others. Most systems in this era of cheap hardware are single user, BUT NOT ALL SYSTEMS. It's fine for Windows and Mac OS to do without them and it's fine to configure your own Linux system to disable them if that's what you want, but it's completely insane to argue that they're a security flaw because some people work around them using insecure practices. There are plenty of secure ways to work around them, most obviously by USING A NON-PRIVILEGED PORT. Start your service on port 8080, for example, and give out a URL like http://example.com:8080/path. It's really that simple. Take the time to understand the actual purpose of a feature before urging others to abolish it.