Push Technologies (Building Internet Firewalls, 2nd Edition)

15.6. Push Technologies

HTTP is a system in which clients ask for the information that they want (this is referred to as a pull technology, where the client pulls the information). In some situations, it is desirable for the server to send the information without being asked (this is a push technology, where the server pushes the information). For instance, if you want to be informed of some event (a change in a stock price, the outcome of a baseball game, a news item about an area of interest), it's most effective for you to inform the server about your interests once, and then have it send you the information when it becomes available. With standard HTTP, you would have to ask for the information repeatedly to see if it had arrived.

Around 1997, push technologies were predicted as the next big thing on the Web, the most exciting thing to happen since the introduction of TV. They have yet to get much acceptance, for a combination of reasons. First, users have a strong and well-founded suspicion that the main reason that vendors want push technologies is so that they can push advertisements and other information that the user wouldn't have requested. Second, security and network bandwidth considerations cause site administrators to dislike the idea of having incoming unrequested information streams. At this moment, the magic application that would drive people to accept push technologies has not shown up, although there is a significant population that think the existing programs are really cool.

A number of competing programs still claim to be push technologies, although the number has been reduced in recent years. Currently, the popular programs (notably Pointcast and BackWeb) don't actually have to be push-based. Instead, they give an illusion of being push-based by using special HTTP clients that make regular requests for updates to specialized HTTP servers that inform them of changes in the information the user is watching. This polling process is transparent to the user, who sees something that looks like it's push-based.

This approach removes many of the difficulties with true push-based technologies. It doesn't require a new protocol or inbound connections, for instance. On the other hand, it does use bandwidth as the clients check for updates. The specialized clients are generally aware of proxies but may not support all the same features that normal web browsers support (for instance, they don't generally have support for auto-configuration of proxies or for proxy authentication schemes).

The specialized clients don't tend to have the same security implications that traditional web browsers do (they don't support extension languages or external viewers, for instance; they call normal web browsers to deal with complex pages). They do have their own security implications (for instance, the clients are providing information to the server as part of the queries they make and are accepting data from the server).

Some of the traditional web browsers also support things that look like push technology (for instance, Explorer has Active Channels and Netscape has Netcaster). These are in fact based on polling over normal HTTP, sometimes with additional information to optimize the polling. In general, their security implications are identical to those of normal web browsing. Note that if you are pulling web pages that require authentication information, either you will have to provide that information at the start of the download (so much for having it automatically updated while you sleep), or you will have to trust the program to safely store the authentication information. In addition, these services make local copies of the web pages, and you should be sure that those are appropriately protected.

There are also genuine push technologies in use, and both BackWeb and PointCast will run as genuine push technologies when they can, using their own protocols. It's not clear what security implications these protocols have, since they're proprietary. However, they accept inbound connections, often return data, and usually have little or no authentication. While there have not been many security problems with them so far, that may simply be because they are not popular enough to attract many attackers. Certainly there seems to be good reason to worry about their security. It is also possible to combine a traditional web browser with a specialized push client using plug-ins, and PointCast provides such a plug-in. The plug-in has the same security implications as the normal PointCast service.

15.6.1. Summary of Recommendations for Push Technologies

Do not pass push technologies through your firewall.

Discourage users from using the specialized clients that imitate push technologies using HTTP.