This port will generally be open only when a web server of some sort is running on the machine. However, as you can see from the extensive list of Trojan sightings below, there is no shortage of malicious software trying to inhabit this port. The widespread Code Red and Nimda worms are still alive, and are likely to survive out on the Internet for many more years. They continue searching for vulnerable systems into which they can reproduce wherever and whenever possible. Since they attempt to infect unpatched Microsoft web servers even the "Personal Web Server" sometimes installed in end-user versions of Windows Microsoft servers must always be patched and protected against worm infestation.
Due to the popularity of this port for malicious exploitation, it should never be open unless it is being actively and deliberately used to serve web pages. And then, any publicly accessible web servers must be proactively maintained and kept current with the latest security patches to keep them safe.
Many ISPs now block incoming traffic to this port before it reaches their customers. This is done for several reasons: The prevalence of malicious port 80 Trojans renders outside access to this port dangerous. Many Windows users are inadvertently running or have not patched and are not maintaining copies of Microsoft's web servers. As we know, active scanning by self-propagating worms is constantly attempting to locate and infect such servers. Additionally, the terms of service of many ISPs forbids end-users to offer web services to the Internet. Blocking incoming traffic to port 80 can be an enforcement of ISP policies as well as a significant boon to end-user security.
Poorly configured DSL and NAT routers sometimes expose their web-based configuration management interfaces to the Internet. If you are not running a local web server, and our tests show that port 80 is open on your machine, you will certainly want to determine what's going on. If you have a DSL or NAT router, be sure to check that its web interface is disabled on the "WAN" wide area network (Internet) side.
For information about secure web (https) connections, please see the Port Authority page for port 443.
The HTTP/1.1 RFC (the complete specification)
The specification of every nuance and detail of the current HTTP/1.1 protocol, as written by the people who invented it, may be found here:
Trojan Sightings: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message 4 Creator, Hooker, IISworm, MTX, NCX, Noob, Ramen, Reverse WWW Tunnel Backdoor, RingZero, RTB 666, Seeker, WAN Remote, Web Server CT, WebDownloader