From: Steve Dossick (sdossick@iPal.com)
Date: Thu Aug 31 2000 - 11:34:49 PDT
Jim Whitehead wrote:
> I dunno, maybe it's just because Roy is/was my officemate, and I've
> mind-melded with him, but I thought this was obvious.
>
> HTTP exposes its commands in a known location in the message, and the
> universe of commands is predefined in a community reviewed and approved
> standard. Hence, the syntax and semantics of commands are knowable by
> intermediaries, such as proxies and firewalls. Since the semantics are
> known ahead of time, it is possible to do a thorough security analysis, and
> then make informed decisions concerning what messages are allowed through
> firewalls.
>
This is kind of a red herring, no? GET requests can have the same
semantic effects on the back-end database of a server as a POST or PUT
can, depending on the code processing them. If I choose to architect my
application that way, I can get around all the 'community approval' of
the semantics of HTTP.
The real issue is that the web is so fundamental to so many companies
doing business these days that HTTP can't really be blocked at the
firewall.
-- Steve Dossick Founder and Chief Architect iPal 310-578-8331 (voice) 310-578-8336 (fax)
This archive was generated by hypermail 2b29 : Thu Aug 31 2000 - 11:33:17 PDT