Firewall Wizards mailing list archives
Rant (Was Re: Our friend FTP, again)
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Thu, 15 Apr 1999 17:26:29 -0400
<rant> Chad Schieken wrote:
let's give Marcus the benefit of the doubt and assume he meant https
Sorry, I meant "HTTP as it should be" not "HTTP as it is." I keep forgetting that somehow one of the world's most important standards left out real security. :( SSL would be a good replacement for FTP. HTTP is a good replacement for anonymous FTP. That's not to say that either protocol is good by any means. In moments of idle fantasy, I imagine that we could somehow start over with the Internet Codebase. Deprecate _all_ the apps that we are currently running, replacing them with similar apps built atop decent high level APIs that incorporate necessary and desirable features sockets lack (session redirection, connection to service negotiation, ression resumption/reconnection, encryption, authentication, authorization, integrity checksums, buffering/record formats) We gotta remember that this whole industry is very very very young. Other industries bury the prototypes of the first generation of technology. We, on the Internet, enshrine them and refuse to give them up. The Demon of Backwards Compatibility has us by the short'n'curlies in a major major way. Few people drive first generation cars, use first generation dentistry techniques, fly first generation aircraft, and submit to first generation surgery. Think about that for a second. I did a presentation about a year ago at Black Hat in which I advocated scrapping the current app base and starting over. Combine that with mandating filtering on backbone so that only "Internet Ready" app traffic is allowed. Then we blame it on Y2K. :) It's scary to me that, as an industry, we spend $500mm/year on firewalls(band-aids) rather than actually fixing the problem. We _could_ easily produce a major move forward in secure communications APIs, and the necessary marketing push to get everyone to play, for a lot less than $500mm! One of my favorite quiz questions is the FTP question: "Who in this room knows why FTP uses two connections the way it does for transferring data?" Nobody has ever had the right answer. The right answer is that NCP, the protocol before TCP, had sockets that only carried data in one direction, hence the need for 2 connections and all that wretched PORT nonsense. When TCP came along, nobody fixed FTP. Let's take HTTP for another example. It's _proof_ that you can massively deploy a whole new protocol in almost no time at all. Indeed, it got end users in the habit of downloading new code every week. By Jan 1, 2000, I bet that the vast majority of people will be running a newer version of a browser than they are now. We _can_ ditch old code; we just don't choose to ditch _enough_ of it. A few very simple draconian standards would go a long, long way. How about this one for starters: 1) _ALL_ "Internet Ready" applications originate _ALL_ connections from the client, to the server. This would possibly mean a little bit of extra thinking and maybe a bit of extra coding (probably not) on the part of app developers, but think of the implications! It'd do a hell of a lot more for security than IPSEC will, and it'd mean that crafting a firewall would be a weekend's work for someone who knows how to add lookup tables into a router. Mandating use of some kind of decent API for "Internet Ready" apps would also mean that (gosh, darn!) developers would not have to re-code their own basic protocol building blocks from scratch every time. Make it easy for them to do it right, and make it so that if they do it wrong it won't _work_ and we'll not be blessed with the kind of braindamaged crap that we're constantly being expected to install on our desktops. Why do we have so many different but almost the same application protocols for VPNs? SSH, SSL, SOCKS, etc - that stuff should all be settable options in the basic "connect my client software to this server software" function. Before everyone follows up saying, "It ain't gonna happen!" I _KNOW_ it isn't. But it _COULD_ and that's what bugs me. We could make real progress, but we won't. The industry will keep kludging and patching and kludging and patching and it won't be until we have the Big Software Cherynobyl that someone will wake up and demand that it gets fixed. The Internet is too wild and wooly to be regulated as a whole so we have these ad-hoc judicial boundaries (called firewalls). They're an obsolete idea -- look at the huge number of apps that span them transparently, now. It ain't going to happen because doing something like this would delay vendors' abilities to release the next wave of crud, and it'd completely crater the firewall market. And, of course, enough end users would have to give a hoot about security. mjr. </rant> PS - I am going to exercise moderator's privilege and not forward responses to this rant unless they are truly illuminating, thought-provoking, and (at least) more interesting than the rant itself. ;) -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Our friend FTP, again Matthew Patton (Apr 14)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
- Re: Our friend FTP, again Woody Weaver (Apr 15)
- <Possible follow-ups>
- Re: Our friend FTP, again ark (Apr 15)
- Re: Our friend FTP, again Chad Schieken (Apr 15)
- Rant (Was Re: Our friend FTP, again) Marcus J. Ranum (Apr 15)
- Re: Rant (Was Re: Our friend FTP, again) Leonard Miyata (Apr 17)
- Re: Our friend FTP, again Chad Schieken (Apr 15)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
- Re: Our friend FTP, again Ryan Russell (Apr 15)
- Re: Our friend FTP, again Matthew Patton (Apr 17)
- Re: Our friend FTP, again Ryan Russell (Apr 15)