Re: LYNX-DEV problem with 'news' url draft

David Woolley (david@djwhome.demon.co.uk)
Fri, 6 Mar 1998 08:39:17 +0000 (GMT)


From: David Woolley <david@djwhome.demon.co.uk>
Message-Id: <199803060839.IAA07543@djwhome.demon.co.uk>
To: lynx-dev@sig.net
Date: Fri, 6 Mar 1998 08:39:17 +0000 (GMT)
Cc: uri@Bunyip.Com, phil@netscape.com, chuckop@microsoft.com
In-Reply-To: <199803060116.UAA28439@access5.digex.net> from "Al Gilman" at Mar 5, 98 08:16:25 pm
Subject: Re: LYNX-DEV problem with 'news' url draft

> 
> Are snews URLs used?  Is news+ssl offered with any regularity?
> Is port 563 generally used for this?

My understanding is that it was invented by Netscape at the same time
as https and that they use it for their support newsgroups, although
I don't know to what extent they do this for lock in/demonstration reasons
and to what extent to protect the information from non-paying customers.

My impression from various things I've seen on USENET is that quite
a lot of commercial users of their products have started using it
as well, although I'm not sure if that is for closed, external services,
or for internal company services.  I think you can assume that Netscape
have been trying to create this market, although their original 
competitive edge will have been considerably blunted by time.

My impression is that it is generally used in a context where snntp would
have been a more appropriate URL name, but Netscape destroyed the distinction
between nntp and new and I think that has now been officially sanctioned.
There may be some ISPs offering it to give customers a false sense that
their newsreading habits are kept private.

> 
> Should this be discouraged?  Actively or passively, by failing to
> bless this usage with a Proposed Standard?

I doubt that a standard will have much influence in this market area.
SSL is much more of a marketing phenomena than a technical one; my 
impression is that the traditional users of secure communications could
have implemented it a long time ago, but didn't for reasons that haven't
changed, and may even have gone against it, namely a distrust in the 
security of software implementations.

Incidentally from the port space pollution point of view, I think you will
find that the nature of SSL is such that it requires a doubling of the
number of privileged ports.  You can't just autodetect it on the standard
port, because the nature of the thing is such that it is very likely that
people will want to permit it across a firewall, but not the raw protocol.
You could define an SSL multiplexor port, with the sub-protocol carried in
the data; it is even possible that this is in the latest version, however,
again there may be a demand to discriminate at firewalls.