W3C home > Mailing lists > Public > ietf-discuss@w3.org > August 2001

Re: Use ofHTTP to pass firewalls

From: Roy T. Fielding <fielding@ebuilt.com>
Date: Thu, 9 Aug 2001 11:48:36 -0700
To: Keith Moore <moore@cs.utk.edu>
Cc: Jacob Palme <jptest@dsv.su.se>, discuss@apps.ietf.org, Kristine Andersen <kristineandersen@hotmail.com>, Christer Backman <asphalt_world@hotmail.com>, Fredrik Björck <bjorck@dsv.su.se>, Mats Wiklund <matsw@dsv.su.se>, Sead Muftic <sead@dsv.su.se>
Message-ID: <20010809114836.A892@waka.ebuilt.net>
On Thu, Aug 09, 2001 at 01:39:00PM -0400, Keith Moore wrote:
> in a nutshell, my view is that if people are using a web browser 
> on the client end to view the content, then it's reasonable to use 
> port 80 on the server end.   
> 
> otherwise, it's probably not reasonable to use port 80.

Right.  Port 80 is reserved for the Web, not HTTP.

The notion that a firewall is any more or less secure because of
people promoting pseudo-standards that tunnel over HTTP is missing a bit
of common sense.  Someone trying to break through a firewall isn't going
to obey IANA port reservations, let alone protocol standards.

Security will depend on how the firewall has been configured and will
require some level of content filtering on any ports that it exposes to
the outside world.  HTTP makes that a bit easier than most protocols,
but only when it is used appropriately.  People installing software on
the firewall that allows inappropriate use of HTTP to pass through
will be reducing the security of that firewall.

....Roy
Received on Thursday, 9 August 2001 14:50:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:28 GMT