- From: Ted Goddard <ted.goddard@icesoft.com>
- Date: Mon, 17 Oct 2005 09:30:16 -0600
Rather than invent another protocol, this seems like an excellent application for BEEP: http://www.ietf.org/rfc/rfc3080.txt Restricting connections to the originating host only has shown to be fairly effective so far, and it's quite easy to see how allowing arbitrary connections (no matter what port they are on) could be used to stage attacks on remote servers. Are connections to arbitrary hosts worth the risk? Ted. On 17-Oct-05, at 3:36 AM, Michael Gratton wrote: > On Mon, 2005-10-17 at 05:27 +0000, Ian Hickson wrote: > >> It's not intended to use port 80 only; where does it say that? >> That's an >> error. It is intended to be usable on ports 80, 443, and anything >> greater >> than 1024. (80 and 443 to attempt to tunnel out of psychotic >> firewalls, >> > > ObFirewallsExistForAReasonRant: But then you are trying to subvert the > entire point of the firewall in the first place, which is just > going to > annoy network admins. If they don't already have a proxy in place they > will put one in pretty quick. XML-RPC and SOAP constitute similar > annoyances. > > As soon as there is a proxy in the way, these TCP connections over > port > 80 and 443 will break. Many ISPs use transparent proxies for all HTTP > traffic anyway, so (admittedly without any sort of figures to back > this > up) it is likely that many, if not most attempts to open a non-HTTP > TCP > connection on port 80 and 443 will just not work. > > If the spec allows connections on 80 or 443, then it will encourage > developers to use those ports. For anyone behind a firewall they > likely > won't be able to use it anyway and those that are behind a transparent > proxy will wonder why it doesn't work, even through they do not have a > web browser configured to use a proxy. > > I would suggest the spec should just require all connections be > made on > ports above 1024. It will make it clear to people behind a firewall > that > they will need to get a hole made to use the web app and avoids the > problem with transparent proxies. > > (Not to mention that overloading those two ports with a new > protocol is > pretty poor form in general, anyway.) > > /Mike > > -- > Michael Gratton, Software Architect. > Quuxo Software <http://web.quuxo.com/> > Ted Goddard, Ph.D. - Senior Software Architect ICEsoft Technologies Inc Suite 300, 1717 10th St. NW Calgary, AB - Canada - T2M 4S2 T 403 663-3322 F 403 663-3320 ted.goddard at icesoft.com http://www.icesoft.com
Received on Monday, 17 October 2005 08:30:16 UTC