forward the data. In the case of SSL tunneling, this is because the
proxy should not need to know the entire URI that is being accessed
(privacy, security), only the information that it explicitly needs
(hostname and port number) in order to carry out its part.
Due to this fact, the proxy cannot necessarily verify that the
protocol being spoken is really what it is supposed to tunnel (SSL
for example), and so the proxy configuration should explicitly limit
allowed connections to well-known ports for that protocol (such as
443 for HTTPS, 563 for SNEWS, as assigned by IANA, the Internet
Assigned Numbers Authority).
Ports of specific concern are such as the telnet port (port 23), SMTP
port (port 25) and many UNIX specific service ports (range 512-600).
Allowing such tunnelled connections to e.g. the SMTP port might
enable sending of uncontrolled E-mail ("spam").
7. References
[HTTP/1.0] T. Berners-Lee, R. Fielding, and H. Frystyk.
Hypertext Transfer Protocol -- HTTP/1.0.
RFC 1945, MIT/LCS, UC Irvine, May 1996.
[HTTP/1.1] R. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, and
T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1.
RFC 2068, UC Irvine, DEC, MIT/LCS, January, 1997.
[TLS] T. Dierks, C. Allen, A. O. Freier, P. L. Karlton, and P. Kocher.
The TLS (Transport Layer Security) Protocol.
Internet-Draft draft-ietf-tls-protocol-05.txt,
Consensus Development, Netscape Communications,
November 12, 1997.
[SSL] K. Hickman, T. Elgamal, "The SSL Protocol",
draft-hickman-netscape-ssl-01.txt, Netscape Communications
Corporation, June 1995.
[SSL3] A. O. Freier, P. Karlton, Paul C. Kocher,
"The SSL Protocol -- Version 3.0",
TCP PROTOCOL TUNNELING IN WEB PROXY SERVERS INTERNET-DRAFT August 1998
draft-ietf-tls-ssl-version3-00.txt, November 18, 1996.
8. Author's Address:
Ari Luotonen <ari@netscape.com>
Mail-Stop MV-068
Netscape Communications Corporation
501 East Middlefield Road
Mountain View, CA 94043
USA
=5=
THE END |
