I think the dynamics of the Internet have shifted from the early days. Basically, HTTPS on port 443 is pretty much the only service that anyone intends to make publicly available. This is different from 30 years ago, when those same sites had HTTP, FTP, Gopher, a public Telnet server, a public NTP server, etc. and they wanted you to use them. It was very reasonable to look around back then, but nowadays anything that is available publicly is probably an accident.
Exactly! And do we want to continue on that trend? Personally, I don't.
I dislike the growing idea that HTTP is a core part of the internet, and not just the most popular part. The difference lies in if we're going to see legislation that dictates proper use of the lower networking layers like TCP/IP by stuff of the upper layers like HTTP. I'd really hate to see something along the lines of "it's illegal to use a TCP port unless it was specified as available to the public in some (possibly js-rendered) part of an HTTP response."
I don't think it's worth getting caught up on which data framing protocol everyone is using. Everything that Gopher, IRC, FTP, etc. did are perfectly expressible as any other RPC protocol; these things were just RPCs before we invented the term RPC. Now we have protocols that can generically transport any RPC, and so we don't need to think about these things in terms of port numbers or running services.
True, as if the browser is the only tool to access the Internet. Today with the much bigger security awareness it would be thinkable to allow file sharing over Internet or to fail-over to the neighbour's Internet uplink when the own DSL provider has a problem. All these things become increasingly difficult. (Actually Bruce Schneier was once writing on his blog that he has an open Wifi at home)
I don't think port scanning and computer intrusions are comparable. As always, I believe, in both state (like CA 502) and federal law (like CFAA), state of mind is what matters. You have to intend to gain unauthorized access (or, in California, the resources of that computer). A port scan by itself can't do that; on the flip side, randomly accessing URLs can do that, so even though you don't need special "malicious" tooling to hit a URL, you can charged with a felony for (say) dumping lots of private information from a URL you simply type into your browser bar.
Even in California, the resources that you can access and consume from a port scan of a browser visiting your site are essentially the same as you'd get from running Javascript on your page. A legal claim based on those scans seems very far-fetched.
Message board nerds seem totally convinced of the idea that computer crime law tracks the state of the art in offensive computer security, but the two concepts aren't directly connected at all.
I speak both for myself and, I think, for a lot of security researchers both academic and professional when I say that I am very, very nervous poking at a website that hasn't given me permission to, say, check if an input that generated a crazy error is, say, letting me inject SQL, while at the same time I am never scared about port scanning things. There are companies, well-respected companies, that do nothing but port scan everything on the whole Internet.
