Gopher and WAIS

Gopher is a menu-driven text-based tool for browsing through files and directories across the Internet. When a user selects a Gopher menu item, Gopher retrieves the specified file and displays it appropriately. This means that if a file is compressed, Gopher automatically uncompresses it; if it's a GIF image, Gopher automatically runs a GIF viewer. Standalone Gopher clients are now rare, but many web browsers support the Gopher protocol, and Gopher servers can be an efficient way of providing access to non-HTML documents for users of web browsers. A Gopher server is provided as part of Microsoft's Internet Information Server (IIS).

WAIS indexes large text databases so that they can be searched efficiently by simple keywords or more complicated Boolean expressions. For example, you can ask for all the documents that mention "firewalls" or all the documents that mention "firewalls" but don't mention "fire marshals". (You might do this to make sure you don't get documents about literal firewalls.) WAIS was originally developed at Thinking Machines as a prototype information service and, for a while, was widely used on the Internet for things like mailing list archives and catalogs of various text-based information (library card catalogs, for example). It is now much more common for people to provide search engines on web pages using CGI, instead of using WAIS directly as an access protocol. Some web browsers will speak the WAIS protocol, but WAIS servers are quite rare these days.

It is unlikely that you will ever want to run a standalone Gopher or WAIS client. Using the support for these protocols that is built in to a web browser adds no additional risk to the risks already posed by HTTP.

You are also unlikely to run a WAIS server, but you might run a Gopher server. Gopher servers present the same basic security concerns as the servers for all of the other common Internet services, such as FTP and HTTP: Can attackers use this server to access something they shouldn't? This is a particularly pressing problem on the Gopher server included as part of IIS, since many sites do not pay much attention to it, and may accidentally leave data where the Gopher server can read it. If you do not intend to run Gopher, turn it off; if you do intend to run it, be sure that it can read only information that you intend to make public.

For servers, you have to worry about what a malicious client can trick you into running. Like HTTP servers, some Gopher servers use auxiliary programs to generate Gopher pages on the fly. Gopher servers are therefore susceptible to the same kinds of problems as HTTP servers:

Like HTTP servers, Gopher servers also sometimes live on nonstandard ports, so those concerns are similar to HTTP as well. Some Gopher clients support transparent proxying (via SOCKS or other mechanisms), but many don't.

Gopher is a TCP-based service. Gopher clients use ports above 1023. Most Gopher servers use port 70, but some don't; see the discussion of nonstandard server ports in Section 15.3.3, earlier in this chapter.

WAIS is a TCP-based service. WAIS clients use random ports above 1023. WAIS servers usually use port 210, but sometimes don't; see the discussion of nonstandard server ports earlier, in the section on HTTP.

If you use a proxying Web browser like Netscape Navigator or Internet Explorer to access WAIS or Gopher, you automatically get proxy support using SOCKS and/or HTTP proxying.

In the unlikely event that you wish to use some other Gopher client, the TIS FWTK http-gw proxy server can serve Gopher as well as HTTP. SOCKS does not include a modified Gopher client, but Gopher clients are, in general, not difficult to modify to use SOCKS; many of the Gopher clients freely available on the Internet support SOCKS as either a compile-time or runtime option.

As a straightforward single-connection protocol with plenty of user-specified information, WAIS lends itself to both modified-client and modified-procedure proxying. SOCKS support is commonly available in standalone WAIS clients.

Gopher and WAIS do not use embedded IP addresses and will work with network address translation without problems.