Received: with ECARTIS (v1.0.0; list gopher);
 Mon, 22 Jul 2002 09:11:51 -0500 (EST)
Return-Path: <spectre@stockholm.ptloma.edu>
Delivered-To: gopher@complete.org
Received: from stockholm.ptloma.edu (stockholm.ptloma.edu [199.106.86.50])
	by pi.glockenspiel.complete.org (Postfix) with ESMTP id 4B1223B81F
	for <gopher@complete.org>; Mon, 22 Jul 2002 09:11:51 -0500 (EST)
Received: (from spectre@localhost)
	by stockholm.ptloma.edu (8.9.1/8.9.1) id HAA08854
	for gopher@complete.org; Mon, 22 Jul 2002 07:19:57 -0700
From: Cameron Kaiser <spectre@stockholm.ptloma.edu>
Message-Id: <200207221419.HAA08854@stockholm.ptloma.edu>
Subject: [gopher] Re: Gopher+ Suggestion
In-Reply-To: 
 <Pine.LNX.4.21.0207221454330.23953-100000@pinkstuff.transformers.org.uk> from
 Thomas Thurman at "Jul 22, 2 02:59:47 pm"
To: gopher@complete.org
Date: Mon, 22 Jul 2002 07:19:57 -0700 (PDT)
X-Mailer: ELM [version 2.4ME+ PL39 (25)]
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-archive-position: 657
X-ecartis-version: Ecartis v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: spectre@stockholm.ptloma.edu
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:ecartis@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-ID: Gopher <gopher.complete.org>
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher


> > > A problem fairly specific to Gopher is that many gopher clients
> > > (especially ones in web browsers) don't support connections to ports other
> > > than 70, because Gopher is _so_ flexible that it's possible to write

> > I haven't ever seen this.  Perhaps in Konqueror?  But then it doesn't
> > support Gopher well anyway.  Maybe IE?  I seem to recall Cameron mentioning
> > IE problems.

> <http://bugzilla.mozilla.org/show_bug.cgi?id=71916> explains why Mozilla
> was modified to allow gopher connections only to port 70.
> >From the comments to that bug:
> 
> : As blake was checking in gopher for me, jgmyers pointed out that the
> : fact that gopher allows connections to any port may be a security hole.
> : If an attacker can get someone to click onto a URL (like the above),
> : (say, behind a firewall) could theoretically be exploited, on any port
> : (eg bind/apache/etc)

While true, this should hardly be the responsibility of the client to
enforce -- this only masks badly written server software and makes it
less likely to find exploits. I strongly question the intelligence of this
decision.

-- 
----------------------------- personal page: http://www.armory.com/~spectre/ --
 Cameron Kaiser, Point Loma Nazarene University * ckaiser@stockholm.ptloma.edu
-- It is not enough to succeed. Others must fail. -- Gore Vidal ---------------