Tweet
For those of you that manage firewalls, has anyone ever noticed instances where the Safari web browser will reach a web server on standard port 80, but also hits the web server on port 443 (https) even though apache/httpd isn't listening on 443?
On my own personal VPS I only recently started actually logging packets I dropped with with the drop rule(s) in my iptables chains, because I was trying to get data on some brute force / DoS activity originating from Southeast Asia.
Note that my input rules allow inbound to port 80 in a stateful manner with standard/default rule to drop all inbound traffic.
Anyway, while was actively tailing my syslogs, I noticed my own client IP being logged by my iptables drop rule for port 443.
I thought that was strange considering I have never run http over SSL on my VPS.
I tested the same type of browser activity against my site using Chrome (same OS / computer) and no 443 port knock occurred.
I ran tcpdump on my client interface and the hex and ascii output of the pcap file yields nothing readable in the packet contents.
I also noticed the 443 knock on the ipv6 address for my VPS as well if I force an ipv6 browser connection.
A buddy of mine saw someone post a question the Apple Support Discussion Boards about some client's Safari browsers going to their company's Intranet webserver on 443 when it they don't have https running, although it was a one off question with no other 'bugtrack' type reports.
Anyway, I figured there's enough IT people here that someone might have come across this in their firewall and/or IDS logs.
I'm wondering if there's a 'bug' or behavior in Safari such that when a client browser establishes an http session, Safari does an out-of-band port knock on 443 and if it gets an ACK on the 443 knock, it does some of pre-fetch on 443.
On my own personal VPS I only recently started actually logging packets I dropped with with the drop rule(s) in my iptables chains, because I was trying to get data on some brute force / DoS activity originating from Southeast Asia.
Note that my input rules allow inbound to port 80 in a stateful manner with standard/default rule to drop all inbound traffic.
Anyway, while was actively tailing my syslogs, I noticed my own client IP being logged by my iptables drop rule for port 443.
I thought that was strange considering I have never run http over SSL on my VPS.
I tested the same type of browser activity against my site using Chrome (same OS / computer) and no 443 port knock occurred.
I ran tcpdump on my client interface and the hex and ascii output of the pcap file yields nothing readable in the packet contents.
I also noticed the 443 knock on the ipv6 address for my VPS as well if I force an ipv6 browser connection.
A buddy of mine saw someone post a question the Apple Support Discussion Boards about some client's Safari browsers going to their company's Intranet webserver on 443 when it they don't have https running, although it was a one off question with no other 'bugtrack' type reports.
Anyway, I figured there's enough IT people here that someone might have come across this in their firewall and/or IDS logs.
I'm wondering if there's a 'bug' or behavior in Safari such that when a client browser establishes an http session, Safari does an out-of-band port knock on 443 and if it gets an ACK on the 443 knock, it does some of pre-fetch on 443.
Comment