Re: [TLS] Next protocol negotiation

[Marsh Ray <marsh@extendedsubset.com>]

Steve Dispensa wrote:
> On 1/20/10 10:26 AM, "Marsh Ray" <marsh@extendedsubset.com> wrote:
>> One point of view is that firewall admins are ports because of their
>> intentional policies and it is their right to control what goes on on
>> their own network.
> 
> That's giving many administrators too much credit; the new WizBang
> FireScannerProxyWallThingy(TM) is configured to automatically block anything
> and everything, because that's what WizBang's coders read was best practice
> in the latest Gartner report, and the administrator is only dimly aware of
> what's really going on. He just knows he can check the box on this year's
> SAS-70 audit.

That's an intentional policy which is their right to set (whether it's a
good one or not).

> Surely you're right some of the time, but I suspect stuff gets automatically
> blocked more often than not.

Blocking outbound connections based on destination port number is
particularly stupid since it's a parameter trivially controlled by an
attacker.

It's more a tactic to discourage people within the organization from
using new protocols. Malware won't have any problems though.

There will never be a clean and standardized way to get around firewalls
that are trying to block you. Once a technique shows up on the radar,
sooner or later it will get subjected to policy. The radar seems to get
faster over time, too.

For a high-profile company like Google to develop a new transport for
the web, the best method might very well be to just get a proper port
number allocation and make the protocol useful and secure enough that
admins actually let it thorough. One thing that might help would be to
make it easy for filtering proxies to inspect.

- Marsh