2.3.1 Client threats

The major security issue with running client software comes about given the nature of the web: client programs interpret data that is downloaded from arbitrary servers on the Internet. If there are no checks on the contents of this imported data, there exists the potential for this data to subvert programs running on the client systems. These ``Trojan horses'' may take several forms, from malicious URLs to rogue code that is run through interpreters (such as PostScript) on the client system.

Another significant security issue applies mostly to sites that are protected by Internet firewalls. These sites have implemented security policies in their firewalls that describe the network services they want to permit within their organizations. A feature of URLs is that they support several resource types: file, Ftp, Http, Gopher, Wais, Nntp, Mailto, Prospero, Telnet, and Rlogin (other resources are in the works). It is likely that the firewall implementation permits only a subset of these resources. Therefore, since web servers provide these services independently of their normal mechanisms (independent of the normal Ftp channels, for example), it is possible to bypass a firewall security policy by using web services.