 |  |
15.6. Push Technologies
HTTP is a system in which clients ask for the information that they want (this is referred to as a pull technology, where the client pulls the information). In some situations, it is desirable for the server to send the information without being asked (this is a push technology, where the server pushes the information). For instance, if you want to be informed of some event (a change in a stock price, the outcome of a baseball game, a news item about an area of interest), it's most effective for you to inform the server about your interests once, and then have it send you the information when it becomes available. With standard HTTP, you would have to ask for the information repeatedly to see if it had arrived.Around 1997, push technologies were predicted as the next big thing on the Web, the most exciting thing to happen since the introduction of TV. They have yet to get much acceptance, for a combination of reasons. First, users have a strong and well-founded suspicion that the main reason that vendors want push technologies is so that they can push advertisements and other information that the user wouldn't have requested. Second, security and network bandwidth considerations cause site administrators to dislike the idea of having incoming unrequested information streams. At this moment, the magic application that would drive people to accept push technologies has not shown up, although there is a significant population that think the existing programs are really cool.
A number of competing programs still claim to be push technologies, although the number has been reduced in recent years. Currently, the popular programs (notably Pointcast and BackWeb) don't actually have to be push-based. Instead, they give an illusion of being push-based by using special HTTP clients that make regular requests for updates to specialized HTTP servers that inform them of changes in the information the user is watching. This polling process is transparent to the user, who sees something that looks like it's push-based.
The specialized clients don't tend to have the same security implications that traditional web browsers do (they don't support extension languages or external viewers, for instance; they call normal web browsers to deal with complex pages). They do have their own security implications (for instance, the clients are providing information to the server as part of the queries they make and are accepting data from the server).
Some of the traditional web browsers also support things that look like push technology (for instance, Explorer has Active Channels and Netscape has Netcaster). These are in fact based on polling over normal HTTP, sometimes with additional information to optimize the polling. In general, their security implications are identical to those of normal web browsing. Note that if you are pulling web pages that require authentication information, either you will have to provide that information at the start of the download (so much for having it automatically updated while you sleep), or you will have to trust the program to safely store the authentication information. In addition, these services make local copies of the web pages, and you should be sure that those are appropriately protected.
15.6.1. Summary of Recommendations for Push Technologies
- Do not pass push technologies through your firewall.
- Discourage users from using the specialized clients that imitate push technologies using HTTP.
