The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

HTTP & firewalls

IE does not trigger the firewall on my XP (should it?), and embeddeding IE into an application does not either. Does that mean that if I communicate over HTTP in an application, the firewall will not try to block the communication?
coder
Monday, March 24, 2008
 
 
Presumably your Windows firewall is configured to allow HTTP traffic on port 80 through.
John Topley Send private email
Monday, March 24, 2008
 
 
Is that the standard? I don't think I enabled it manually. I am using an admin account though..
coder
Monday, March 24, 2008
 
 
I think the Windows firewall is configured to allow IE to access the Web by default. Otherwise Microsoft would be inundated with support calls!
John Topley Send private email
Monday, March 24, 2008
 
 
So if I stick with HTTP, then I don't have to worry about the firewall blocking my app?
coder
Monday, March 24, 2008
 
 
There is a difference between outbound and inbound traffic as well as differences between different types of firewalls. All firewalls should support blocking the creation of sockets/ports for listening to inbound traffic. But the Windows firewall in older versions of Windows (XP for example) did not block/monitor outbound traffic. IE does not create any listening ports by default (unless it is running some applet or activeX control with attempts to do so). So this probably explains why you aren't seeing any firewall prompts. But Vista does contain outbound traffic monitor (as does Zone Alarm and many other commercial offerings) so you might see firewall prompts depending on your settings.

As for HTTP being safe for firewalls, you aren't really guaranteed of this. There is nothing inherrent in HTTP that causes it to be treated differently for most firewall products. It is only by convention that most firewalls will allow basic web access to work (but not always). It really depends on the products and the role of the machine. For example, a server machine will have to allow inbound traffic on port 80 (or whatever port is designated for the traffic) if it is also an HTTP server. But a client machine accessing that same HTTP server will be doing so using an ethereal port for responses that is in some other entirely different port range.
dood mcdoogle
Monday, March 24, 2008
 
 
Sorry, "ethereal" should have been "ephemeral" above...
dood mcdoogle
Monday, March 24, 2008
 
 
Congratulations, you've discovered http tunneling.
hobit Send private email
Monday, March 24, 2008
 
 
The Window firewall in Windows XP does not prompt and block out bounding traffic, but many others will. Norton Firewall does that. Also if a proxy server is configured to handle the traffic, it is easy to find out by examining the log files. I looked through log files from time to time to determine if some applications silently call home.

I always wonder why Microsoft have not come up with a solution to allow/block HTTP traffic on application basis. All efforts are on the so-called "security zone" in IE, with no attention to issues involving standalone applications.
Glitch
Monday, March 24, 2008
 
 
> The Window firewall in Windows XP does not prompt and
> block out bounding traffic, but many others will.

How does Joel's CoPilot work around this then?
coder
Tuesday, March 25, 2008
 
 
Dan Fleet Send private email
Tuesday, March 25, 2008
 
 
Programs shouldn't try to get round outbound firewalls (like ZoneAlarm). When the program tries to connect the firewall will simply ask the user if they want to allow the connection, and if the user is expecting the program to connect to the net (like they should with CoPilot for example) they can choose to allow it. On the other hand if they aren't expecting it to connect they can deny it.

That means if you want your program to connect reliably when there's an outbound firewall installed then you should make it clear to the user that you are connecting, and why you are doing it.
Adam
Wednesday, March 26, 2008
 
 
The issue is that I keep hearing over and over how users get scared by the fact that the firewall caught the application trying to go out to the internet.

In my case, I am not trying to do anything under the radar. It is a connected desktop application with an embedded browser and it will of course need to go out to the internet for various reasons, but perhaps it won't be obvious to some users why it is doing this (I know, it should be obvious, but we all know it won't). Plus it will need to scan for updates.

If I can do that all this silently, that would be better.
coder
Wednesday, March 26, 2008
 
 
Well it wouldn't be a very useful firewall if it let a program connect silently to the Internet. That's the whole point of a firewall in the first place.
uggh
Wednesday, March 26, 2008
 
 
++Glitch. The Windows XP firewall only blocks inbound traffic, not outbound. Since IE would be outbound, no blocking is necessary.

coder: Why is it you keep trying to do these mysterious, questionable things (mouse clicks on files in Explorer, circumventing firewalls)? Just document the fact that your app will be needing access to the internet, and in that documentation tell the user why. No doing things behind their backs required.

And just FYI? When I catch an app doing stuff it shouldn't without telling me first, like calling home, I delete the piece of garbage from my machine. Expect that to happen with your users if you keep it up.
Ken White Send private email
Thursday, March 27, 2008
 
 
> It is a connected desktop application with an embedded browser

If the application features a browser window, you will not scare an end-user by connecting to the Internet.

But your concern may be valid in some scenarios, in which case a workaround would be to work with out-of-process browser. You could install a helper for IE and have your application talk with this helper. From the point of view of any firewall, the outbound traffic will belong to IE.

Needless to say, an end-user or her sysadmin can define firewall rules that will not allow IE to connect freely to your server.
Alex Cohn Send private email
Sunday, March 30, 2008
 
 
I think you should use https instead of http.  Https is almost always allowed for outbound traffic and https is never examined because it can't be examined as it is supposed to be encrypted securely.  So all https traffic is forwarded by the different nodes as is, whereas malformed http packets may be dropped by nodes along the way as they can be examined and usually are examined.  But using https doesnt guarantee that zonealarm will not altert the user that your program is accessing the internet, but then whats the big deal about letting the user know that your program is accessing the internet (unless you are writing a worm/virus)?
dd
Monday, April 07, 2008
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz