On Wed, 13 Dec 2000, Marcus J. Ranum wrote:
> Paul D. Robertson wrote:
> >I still think that Marcus
> >bears some responsibility for plug-gw's success, though it wasn't meant as
> >an excuse not to write proxies.
>
> No _WAY_ am I gonna accept blame for the braindamage that
> firewalls have become. C'mon, that's _NOT_ fair, Paul!!!
Yeah, it's not fair- but the number of times I've had to explain "It's a
_transport layer_ relay, not an application layer proxy, and that means it
doesn't..." means that someone at least owes me a beer!
If plug-gw weren't such an easy to use tool, we'd probably be better off.
I'll be the first to admit I've plugged crap through that I shouldn't
have, and if you hadn't designed such an incredibly useful tool, I'd have
had to have done the real work necessary. I differentiate blame and
responsibility too. I'll easily take the blame for the specific
instantiations I did, but I'm not responsible for the idea ;)
> Plug-gw was intended for USENET netnews only. It got
> re-purposed very quickly, however. :(
It was entirely too easy to "just plug it" instead of
writing/bitching/refusing a new application proxy.
> I remember quite clearly the moment when the battle
> was lost. It was about 2 months or so after the Mosaic
> browser had hit people's desktops and everyone was getting
> excited about this World-Wide-Web thing. And one of the
> firewall vendors (Checkpoint) took a look at the http protocol
> (what little there was of it) and wrote an inspect script
> and presto - they supported http. Meanwhile, one of the
> guys at TIS (Dave Dalva) did a code review of the Mosaic
> code, to see if there were actually any security risks
> in the browser that might argue for why something more
> than just passing http through was necessary. It turned out
Yep- "fast or right" seems to be the major decision point with "secure or
popular" following right behind.
> that Dave found a number of pieces of major braindamage
> in Mosaic - stuff that would make it easy for an attacker
> to remote-control a victim's machine through URLs, and a
> few things like that. So Dave worked with Marc Andreesen
> to get that fixed. Meanwhile, the proxy firewall makers
> didn't have an "answer" for http and the packet screeners
> ran off with the gold medal.
Ok, we'll make you partially responsible and Marc Andreesen totally to
blame, how's that?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
