Paul D. Robertson wrote:
>I still think that Marcus
>bears some responsibility for plug-gw's success, though it wasn't meant as
>an excuse not to write proxies.
No _WAY_ am I gonna accept blame for the braindamage that
firewalls have become. C'mon, that's _NOT_ fair, Paul!!!
Plug-gw was intended for USENET netnews only. It got
re-purposed very quickly, however. :(
I remember quite clearly the moment when the battle
was lost. It was about 2 months or so after the Mosaic
browser had hit people's desktops and everyone was getting
excited about this World-Wide-Web thing. And one of the
firewall vendors (Checkpoint) took a look at the http protocol
(what little there was of it) and wrote an inspect script
and presto - they supported http. Meanwhile, one of the
guys at TIS (Dave Dalva) did a code review of the Mosaic
code, to see if there were actually any security risks
in the browser that might argue for why something more
than just passing http through was necessary. It turned out
that Dave found a number of pieces of major braindamage
in Mosaic - stuff that would make it easy for an attacker
to remote-control a victim's machine through URLs, and a
few things like that. So Dave worked with Marc Andreesen
to get that fixed. Meanwhile, the proxy firewall makers
didn't have an "answer" for http and the packet screeners
ran off with the gold medal.
Ever since then I've maintained that some day we were
going to pay bigtime for our rendering proxy gateways
moot. Now we're paying. More precisely, we're seeing
the tip of the iceberg and are saying "my that is an ugly
looking iceberg."
It gives me no satisfaction whatsoever to say "I told you so."
mjr.
---
Marcus J. Ranum, Chief Technology Officer, NFR Security, Inc.
Work: http://www.nfr.com
Play: http://www.ranum.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
