URI has nothing to do with payload. POST /somefile.ext HTTP/1.1 HOST: myserver.com Key=<binary blob here>
Is an entirely valid HTTP request, and the URI is well formed. Unfortunately you have no visibility into the <binary blob here> part unless your proxy happens to be able to decode that traffic. How does your proxy handle SSL VPNs/SSTP or RPC over HTTPS? Or RDP over HTTPS? Or any number of current arbitrary protocols, that have non-transparent body data, that now run over HTTP/HTTPS? Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, 9 December 2009 11:34 PM To: NT System Admin Issues Subject: Re: A new challenge for me... I at least have the minimal protection afforded by enforcing well-formed URIs - and a few other goodies it does. Poking an arbitrary TCP hole in the firewall doesn't even give me that. On Wed, Dec 9, 2009 at 07:18, Ken Schaefer <[email protected]> wrote: > How do you even know that the protocol sitting on top of port 80/443 > is understandable by your proxy? It's just arbitrary data encapsulated > in a HTTP (or maybe even not) payload > > If I send a POST request, how does your proxy even know how to decode the > POST payload? > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Wednesday, 9 December 2009 11:12 PM > To: NT System Admin Issues > Subject: Re: A new challenge for me... > > At least I can proxy 80/443, and my firewall understands http(s) - I love my > Sidewinder. > > On Wed, Dec 9, 2009 at 07:06, Ken Schaefer <[email protected]> wrote: >> With that attitude, no wonder every single product now uses the "universal >> firewall bypass" port to conduct it's business. >> >> Cheers >> Ken >> >> -----Original Message----- >> From: Kurt Buff [mailto:[email protected]] >> Sent: Wednesday, 9 December 2009 11:03 PM >> To: NT System Admin Issues >> Subject: Re: A new challenge for me... >> >> And that's two ports too many. >> >> On Wed, Dec 9, 2009 at 04:25, Jon Harris <[email protected]> wrote: >>> I did not have that many open for the installation I had to manage. >>> I think I had a total of 4 ports open and 2 of those 80 and 443 had >>> to be open anyway. >>> >>> Jon > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
