Re: Reliable HTTP from Mark Nottingham on 2001-07-20 (www-ws@w3.org from July 2001)

From: Mark Nottingham <mnot@akamai.com>
Date: Fri, 20 Jul 2001 13:27:55 -0700
To: Dan Weinreb <dlw@exceloncorp.com>
Cc: rpk@watson.ibm.com, www-ws@w3.org
Message-ID: <20010720132743.C8001@akamai.com>

Dan,

FYI: one of the open issues [1] for SOAP is whether it will use port
80, or define another port and protocol scheme to use. SOAP's use of
port 80 is not set in stone.

Cheers,

[1] http://www.w3.org/2000/xp/Group/xmlp-issues.html#x11 and
    http://www.w3.org/2000/xp/Group/xmlp-issues.html#x13



On Fri, Jul 20, 2001 at 12:59:50AM -0400, Dan Weinreb wrote:
> 
> On another topic, the motivation for building upon HTTP is that
> firewalls are generally configured to allow HTTP traffic and deny most
> other traffic.  This general point could be made about nearly any
> proposed new Internet protocol: they all ought to be built on top of
> HTTP, for the same reason.
> 
> If this reasoning were followed to its logical conclusion (and
> compatibility with past protocols were not an issue), we'd be able to
> retire all well-known ports other than 80 and 443, and the logic in
> the firewalls that denies connections on those other ports will lie
> dormant since nobody would use those ports for anything.  Isn't there
> something peculiar about this?  (I realize that there are many
> practical reasons why this would not literally happen.)
> 
> In particular, as I understand it, SOAP is also built on top of HTTP,
> and articles I have read about SOAP stress that one of its virtues is
> that it can work through firewalls because firewalls generally allow
> HTTP to pass through.
> 
> But why do firewalls allow HTTP in the first place?  Presumably the
> original justification was that HTTP requests are reasonably "safe".
> There must have been some feeling that allowing outsiders to send HTTP
> requests to your HTTP server doesn't put you at great peril, as
> compared to many well-known ports that firewalls generally deny.  (The
> frequency of the discovery of security problems with Microsoft IIS
> tends to challenge this judgement, but let's ignore that for now.)
> 
> But once the HTTP server has been enhanced to deal with all kinds of
> interesting protocols that are built upon HTTP, and especially once it
> has been enhanced to provide a very general and powerful RPC mechanism
> such as SOAP, it's less clear that it's so safe to expose it.  Indeed,
> once system security personnel become aware that the HTTP server is
> being used as a general RPC server that can run all kinds of programs
> on behalf of the client, port 80 might not seem so safe any more.  In
> a way, using HTTP for all kinds of other purposes almost seems like a
> way of thwarting or subverting one's own security policies.  Surely the
> people in charge of the firewalls will "catch on" eventually?

-- 
Mark Nottingham, Research Scientist
Akamai Technologies (San Mateo, CA USA)

Received on Friday, 20 July 2001 16:27:56 UTC