Re: LYNX-DEV problem with 'news' url draft

David Woolley (david@djwhome.demon.co.uk)
Sun, 8 Mar 1998 10:53:27 +0000 (GMT)


From: David Woolley <david@djwhome.demon.co.uk>
Message-Id: <199803081053.KAA11144@djwhome.demon.co.uk>
To: phil@netscape.com (Phil Peterson)
Date: Sun, 8 Mar 1998 10:53:27 +0000 (GMT)
Cc: lynx-dev@sig.net, uri@Bunyip.Com, chuckop@microsoft.com
In-Reply-To: <35019BEB.A9694780@netscape.com> from "Phil Peterson" at Mar 7, 98 11:11:39 am
Subject: Re: LYNX-DEV problem with 'news' url draft

Phil Peterson wrote:

> There is, as Keith Moore suggested, a trend towards negotiating TLS
> using the protocol itself. An implementation has been suggested for SMTP
> in draft-hoffman-smtp-ssl-05.txt. While our NNTP/SSL support predates
> this trend, it seems to me that TLS can be autodetected and does not, in
> general, require more ports to pass through the firewall. This requires
> additional syntax in each protocol, and maybe the NNTPEXT group will
> consider that for NNTP.

The original issue I was thinking of is the sort of scenario where the
management of a company calls in a security consultant who tells them
that permitting clear text through their firewall is undesirable and that
they should block most clear text ports.  I think this sort of thing
does happen where the power doesn't lie with the people with technical
understanding; the management wants to play safe without understanding
the issues.

In that sort of case you would need an application level firewall to
selectively block unencrypted traffic.

The other issue relates to local cacheing and proxying.  Although you could
have a server which opened an SSL/TLS trasnparent relay on detecting a secure
session, the legal issues involved would tend to force that to be a commercial
product (remember that this is on the mailing list for a freeware browser).