Rant (Was Re: Our friend FTP, again)

["Marcus J. Ranum" <mjr () nfr net>]

<rant>

Chad Schieken wrote:
> let's give Marcus the benefit of the doubt and assume he meant https 

Sorry, I meant "HTTP as it should be" not "HTTP as it is." I keep
forgetting that somehow one of the world's most important standards
left out real security. :( SSL would be a good replacement for FTP.
HTTP is a good replacement for anonymous FTP. That's not to say
that either protocol is good by any means.

In moments of idle fantasy, I imagine that we could somehow
start over with the Internet Codebase. Deprecate _all_ the apps
that we are currently running, replacing them with similar apps
built atop decent high level APIs that incorporate necessary
and desirable features sockets lack (session redirection,
connection to service negotiation, ression resumption/reconnection,
encryption, authentication, authorization, integrity checksums,
buffering/record formats)  We gotta remember that this whole
industry is very very very young. Other industries bury the
prototypes of the first generation of technology. We, on the
Internet, enshrine them and refuse to give them up. The Demon
of Backwards Compatibility has us by the short'n'curlies in a
major major way. Few people drive first generation cars, use
first generation dentistry techniques, fly first generation
aircraft, and submit to first generation surgery. Think about
that for a second.

I did a presentation about a year ago at Black Hat in which I
advocated scrapping the current app base and starting over.
Combine that with mandating filtering on backbone so that
only "Internet Ready" app traffic is allowed. Then we blame it
on Y2K. :) It's scary to me that, as an industry, we spend
$500mm/year on firewalls(band-aids) rather than actually fixing
the problem. We _could_ easily produce a major move forward
in secure communications APIs, and the necessary marketing push
to get everyone to play, for a lot less than $500mm!

One of my favorite quiz questions is the FTP question: "Who
in this room knows why FTP uses two connections the way it does
for transferring data?"  Nobody has ever had the right answer.
The right answer is that NCP, the protocol before TCP, had
sockets that only carried data in one direction, hence the need
for 2 connections and all that wretched PORT nonsense. When
TCP came along, nobody fixed FTP.

Let's take HTTP for another example. It's _proof_ that you
can massively deploy a whole new protocol in almost no time
at all. Indeed, it got end users in the habit of downloading
new code every week. By Jan 1, 2000, I bet that the vast
majority of people will be running a newer version of a
browser than they are now. We _can_ ditch old code; we just
don't choose to ditch _enough_ of it.

A few very simple draconian standards would go a long, long
way. How about this one for starters:
1) _ALL_ "Internet Ready" applications originate _ALL_
connections from the client, to the server.

This would possibly mean a little bit of extra thinking and
maybe a bit of extra coding (probably not) on the part of
app developers, but think of the implications! It'd do a
hell of a lot more for security than IPSEC will, and it'd
mean that crafting a firewall would be a weekend's work
for someone who knows how to add lookup tables into a router.

Mandating use of some kind of decent API for "Internet Ready"
apps would also mean that (gosh, darn!) developers would
not have to re-code their own basic protocol building blocks
from scratch every time. Make it easy for them to do it right,
and make it so that if they do it wrong it won't _work_ and
we'll not be blessed with the kind of braindamaged crap that
we're constantly being expected to install on our desktops.
Why do we have so many different but almost the same application
protocols for VPNs? SSH, SSL, SOCKS, etc - that stuff should
all be settable options in the basic "connect my client
software to this server software" function.

Before everyone follows up saying, "It ain't gonna happen!"
I _KNOW_ it isn't. But it _COULD_ and that's what bugs me. We
could make real progress, but we won't. The industry will
keep kludging and patching and kludging and patching and
it won't be until we have the Big Software Cherynobyl that
someone will wake up and demand that it gets fixed. The
Internet is too wild and wooly to be regulated as a whole so
we have these ad-hoc judicial boundaries (called firewalls).
They're an obsolete idea -- look at the huge number of apps
that span them transparently, now.

It ain't going to happen because doing something like this
would delay vendors' abilities to release the next wave
of crud, and it'd completely crater the firewall market.
And, of course, enough end users would have to give a hoot
about security.

mjr.
</rant>

PS - I am going to exercise moderator's privilege and not
forward responses to this rant unless they are truly illuminating,
thought-provoking, and (at least) more interesting than the
rant itself. ;)
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr