PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
Go ahead, click a hyperlink -- any hyperlink -- while surfing the Web. Chances are, you just sailed through Port 80 and probably didn't even know it. Port 80 is an abstract destination, a numerical designation that tells Web servers where to send data to your computer.
There are tens of thousands of these abstract ports on each computer, but Port 80 is the busiest. Why? It's the default destination on computers for data in HTML (Hypertext Markup Language), the lingua franca of the Net. This text-based language tells your Web browser what to display when you arrive at a Web site.
Port 80 emerged as the agreed-upon standard destination for HTML in the early days of the Internet. And the numerical designation (80) really means nothing -- it's the common acceptance that makes it so important. "A port is a way for an individual computer to figure out which application that's running on that computer should receive any given piece of data. It's possible to run a Web server on Port 5067, except nobody would know where it is and the data would never get to the outside world," explains Shawn Hernan, a team leader working on vulnerability problems at the U.S. Computer Emergency Response Team (www.cert.org).
OVER THE FIREWALL.
And there's the rub -- vulnerability. Like any true superhighway, Port 80 is always open, be it on a high-powered corporate network or on a little laptop. Because so many people need to surf the Web to get work done these days, corporate firewalls and proxy servers generally allow traffic to pass through Port 80 with relative ease. That has led businesses to flout the unenforced rule that only HTML should go over Port 80.
Nowadays, companies jam not only text-based HTML code but also more powerful computer languages (such as Java or Active-X) through Port 80 to ensure their Internet-based offerings make it over corporate firewalls. Companies like Driveway and X:Drive that offer Internet-based storage to consumers and businesses send sensitive files over Port 80 just because that's the easiest path.
"When a surfer contacts a Web server, instead of sending back just text-based language, the servers today are sending back video and audio and data and all sorts of things besides HTML, because nobody wants to block the traffic coming back to Port 80. So the application vendors, instead of trying to secure and standardize their own port, use Port 80," says Hernan.
LESS SCRUTINY.
The increasing diversity of traffic going over Port 80, furthermore, makes it even harder for firewalls to do their job of recognizing and filtering out malicious packets of code. That could give easy access to hackers wishing to attack individual users or access corporate networks through vulnerabilities in Web browsers.
And whereas e-mail now gets more scrutiny because of viruses such as the "Love Bug," downloading files over Port 80 receives less scrutiny. "Just because it says you're getting a media player doesn't mean that's all you're getting. People don't get the implication that they're executing software on their workstation. And they don't tend to associate the risk because they say, 'I'm out on the Web, and I should be able to do anything I want,'" says Matthew G. Devost, a senior security analyst at Virginia-based Security Design International (www.sdii.com).
Of course, limiting Web surfing and the use of applications served over Port 80 too stringently could affect productivity. And in some cases, applications served over Port 80 have strong security measures. For example, X:Drive uses strong encryption layers and claims that its service is more secure than the more traditional way of distributing stored files, namely e-mail.
DISTANT STANDARDS.
But experts are recommending more thoughtful security policies to deal with the abuse of Port 80, particularly when it involves Internet-based storage applications that allow widespread file-sharing. Jon Callas, director of engineering at Counterpane Internet Security (www.counterpane.com), recommends that any sensitive information you put on a shared system should be encrypted. Actually, Callas recommends you don't put it out there, period. "If you don't care who reads it, then your security parameters are much looser," he says.
Alternatively, businesses jamming Port 80 with non-HTML code should start exploring ways to establish standardized ports for other applications. For example, if all companies agreed to serve streaming media over Port 90 and Internet-based storage over Port 100, then security companies could build better products to sift through the traffic and more easily screen out evil code. Those standards are likely years away, says Callas, as are efforts to beef up the security of existing Web browsers. Alas, it might take a Love Bug or some other virulent pathogen downloaded as an MP3 file to make the Internet industry snap to attention.
Salkever writes about security issues for BW Online. Follow his column twice a month, only on BW Online
Copyright 2000 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
