Block HTTP port 554 - Chrome Platform Status

Feature: Block HTTP port 554

Connections to HTTP, HTTPS or FTP servers on port 554 will fail. This is a mitigation for the NAT Slipstream 2.0 attack. It helps developers by keeping the web platform safe for users. Chrome briefly blocked port 554 before, but it was unblocked due to complaints from enterprise users. However, we have now achieved rough consensus at https://github.com/whatwg/fetch/pull/1148 to block 554.

Motivation

Some NAT routers and firewall products inspect traffic on port 554 and use it as instructions to open UDP forwarding back to the original host running the browser. Other browsers have blocked port 554, and statistics collection indicates that use of port 554 for HTTP is in fact minimal. On the dev channel it is used for approximately 0.00003% of requests.

Specification

Editor's draft

Status in Chromium

Blink components: Internals>Network

Enabled by default in:

Chrome for desktop release 90
Chrome for Android release 90
Android WebView release 90

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Shipped/Shipping
Edge: No signal
Safari: Shipped/Shipping
Web Developers: No signals

Owner

ricea@chromium.org

Last updated on 2021-05-04