Everybody knows it, but nobody wants to admit that HTTP is a completely broken protocol. Anybody in the world can initiate a connection with your web server and request absolutely any file or path that you may or may not have available. If you've run a web site for any amount of time, surely you've seen worm tracks and fake referrers in your logs.
You really can't fix HTTP — it's beyond repair. I'm sick of being told "just ignore malformed requests and broken links". The real solution is to throw out HTTP completely and rewrite it from scratch to keep in mind authentication, authorization, and security.
That might take a while though, so here are some other ideas that will tide us over.
- Require a token micropayment from everyone who requests a page. After you review the request and decide it's legitimate, you can refund the payment.
- Require an authorization step, where any incoming connection immediately receives a challenge. This could be performing a small-but-significant mathematical operation or it could be a manual response step. Anyone who performs this step successfully will be added to a whitelist and never challenged again. Of course, you can add people to the whitelist if you have regular traffic from friends or family.
- Maintain a list of filters that deny requests that conform to certain parameters. Some people prefer to reject requests that are obvious forgeries — requests that match Code Red, for example. Other people are more aggressive, subscribing to services that publish the IP addresses of known bad Internet citizens.
I think it's time we got serious about the Internet.
Interesting suggestions ...
rob_au on 2003-06-17T03:50:55
I'm curious as to the merit which you see in these suggestions when you have
previously posted against such proposals in relation to SMTP?
I would imagine that it the "pull" nature of HTTP - as opposed to the "push" nature of SMTP - which differentiates these services, but would like to hear your perspective and thoughts on this.
Re:Interesting suggestions ...
chromatic on 2003-06-17T04:32:57
Good satire is hard to write. I blame Piers for bringing up Jonathan Swift tonight.
Gut reaction
Doesn't this make it easier for "closed gardens"? Which is another way of saying, "I don't like it".
Then again, that is just a quick reaction without any thought what so ever.
:-)
I'll go cogitate on this.
:-D
Matts on 2003-06-17T09:51:36
I feel there's humour in there...
I just wanted to add that HTTP is actually my favourite protocol. It's got everything you need for just about any type of communication:
- Extensibility (see DAV)
- Content negotiation
- Feature negotiation
- Multiple encodings handled sanely
- Statefulness when you need it
- Easy to parse, easy to produce
- Metadata on all requests
- Caching
- ... and probably more I've forgotten
Now why can't SMTP be more like HTTP?
