Firewall Wizards mailing list archives
Re: HTTP in practice
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Tue, 23 Sep 1997 23:50:11 +0000
Hmmm. Any examples of what you'd consider one of these "bad URLs" to look like? We try to be pretty friendly URL-wise.
URLs with '|', ';', '>', '..', '*' and other metacharacters are probably not a good idea. I'll tread on dangerous ground here by admitting that I've never read the HTTP standards to see if those are legitimate components of a URL. In a sense it doesn't matter, though, because the presence of those metacharacters is a danger sign and indeed there have been several security flaws related to servers and browsers incorrectly handling them. So a firewall might decide to do the smart thing by zapping them out of the URL in some manner.
You could do something like encode your data in a "harmless" encoding that the firewall won't look into.
I was thinking of encryption when I wrote the preceeding. :) If I were an application developer writing something that I didn't want people's firewalls to mess with, I think I'd make it encrypt its data or uuencode it or something.
And, of course, we thought we were being good citizens using application/x-eRoom rather than, say, image/gif.
Yes, I think you win a good citizenship award for that. It means, however, that (unless your mystery app is very cool and useful, and wotnot) someone will be ordered by management to screen that mime type at the firewall. But hopefully (if your mystery app is very cool and useful) they'll be a minority.
What I was really asking was more akin to: How often can exceptions be expected in (for instance) proxy rules such that may allow <OBJECT> tags from a particular host?
Very hard to answer. It really depends on how cool and useful your mystery app is!
From a security perspective that is the reality we deal with:
security takes second place to cool and useful. It often comes in behind merely cool. Heck, the web wouldn't have happened the way it did if security wonks' objections had not been ruthlessly crushed by senior managers surfin' on a wave of hype... I remember the pitiful screams of the firewall managers of yore: "http sucks! ftp is good enough..!" I was one of them. The fact that we were right is moot.
(I know ActiveX is seen as a great evil. In fact, I don't entirely disagree, especially when it concerns downloading controls over the 'Net. I'll just reiterate, we don't download ActiveX. Our components are pre-installed. As such, we're basically in the same boat as any other COM-based object on a Windows system. For whatever benefit that may be worth.)
Well it's a good thing and it may help you -- but right now I think ActiveX has a "perception problem" that may bite you. Or at least it'll chew on you a little. Maybe this is something you can address in your marketing? ("secure local loading of ActiveX applets makes them tamper proof against attack over the Internet")
And this goes along with my question to some degree. Do we face a greater obstacle because we're browser- and web-server-based, rather than if we had crafted our own server and protocol and released proxy code?
I'd say definitely you're better off. If you wrote your own thing from scratch you'd still have resistance from people AND it'd be harder for them to play with. In today's industry, where everyone has a nanosecond attention span, easy to play with rates higher on the product survival value scale than security.
(None of this is to say I don't understand. I responded an ardent "No" to requests to make ICQ available recently, for instance.)
Ditto. I couldn't see how they do the bit where they send a URL to someone and it pops their browser. It might be possible to trigger someone to go to a page with a hostile activeX applet or something, automatically. There's a subtle (and pernicious) security implication hidden in things like ICQ: all the users are on Windows. If you're a Bad Guy and you're going after someone on ICQ you can be about 90% certain their on W95. 8% certain it's NT. Solves a lot of the portability problems in writing attack applets. I'm starting to get crazy in my old age and am increasingly afraid that the Windows juggernaut is going to kill us through lack of biodiversity against future bugs and worms. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. <A HREF=http://www.clark.net/pub/mjr>Personal</A> <A HREF=http://www.nfr.net>Work</A> <A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>
Current thread:
- HTTP in practice Greg Haverkamp (Sep 22)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
- Re: HTTP in practice Greg Haverkamp (Sep 23)
- Re: HTTP in practice Marcus J. Ranum (Sep 23)
- Re: HTTP in practice Greg Haverkamp (Sep 24)
- Re: HTTP in practice Bennett Todd (Sep 24)
- Re: HTTP in practice Paul D. Robertson (Sep 29)
- Re: HTTP in practice Joe Klemmer (Sep 26)
- Re: HTTP in practice Greg Haverkamp (Sep 23)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
- <Possible follow-ups>
- Re: HTTP in practice Anton J Aylward (Sep 24)