[whatwg] web-apps - TCPConnection

Rather than invent another protocol, this seems like an
excellent application for BEEP:

http://www.ietf.org/rfc/rfc3080.txt

Restricting connections to the originating host only has shown
to be fairly effective so far, and it's quite easy to see how
allowing arbitrary connections (no matter what port they are on)
could be used to stage attacks on remote servers.  Are connections
to arbitrary hosts worth the risk?

Ted.


On 17-Oct-05, at 3:36 AM, Michael Gratton wrote:

> On Mon, 2005-10-17 at 05:27 +0000, Ian Hickson wrote:
>
>> It's not intended to use port 80 only; where does it say that?  
>> That's an
>> error. It is intended to be usable on ports 80, 443, and anything  
>> greater
>> than 1024. (80 and 443 to attempt to tunnel out of psychotic  
>> firewalls,
>>
>
> ObFirewallsExistForAReasonRant: But then you are trying to subvert the
> entire point of the firewall in the first place, which is just  
> going to
> annoy network admins. If they don't already have a proxy in place they
> will put one in pretty quick. XML-RPC and SOAP constitute similar
> annoyances.
>
> As soon as there is a proxy in the way, these TCP connections over  
> port
> 80 and 443 will break. Many ISPs use transparent proxies for all HTTP
> traffic anyway, so (admittedly without any sort of figures to back  
> this
> up) it is likely that many, if not most attempts to open a non-HTTP  
> TCP
> connection on port 80 and 443 will just not work.
>
> If the spec allows connections on 80 or 443, then it will encourage
> developers to use those ports. For anyone behind a firewall they  
> likely
> won't be able to use it anyway and those that are behind a transparent
> proxy will wonder why it doesn't work, even through they do not have a
> web browser configured to use a proxy.
>
> I would suggest the spec should just require all connections be  
> made on
> ports above 1024. It will make it clear to people behind a firewall  
> that
> they will need to get a hole made to use the web app and avoids the
> problem with transparent proxies.
>
> (Not to mention that overloading those two ports with a new  
> protocol is
> pretty poor form in general, anyway.)
>
> /Mike
>
> -- 
> Michael Gratton, Software Architect.
> Quuxo Software <http://web.quuxo.com/>
>




Ted Goddard, Ph.D. - Senior Software Architect
ICEsoft Technologies Inc
Suite 300, 1717 10th St. NW
Calgary, AB - Canada - T2M 4S2
T 403 663-3322
F 403 663-3320
ted.goddard at icesoft.com
http://www.icesoft.com

Received on Monday, 17 October 2005 08:30:16 UTC