Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
- From: Daniel Veillard <veillard redhat com>
- To: Jochen Friedrich <jochen scram de>
- Cc: gnome-hackers gnome org
- Subject: Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
- Date: Fri, 15 Feb 2002 17:42:20 -0500
On Fri, Feb 15, 2002 at 10:41:14PM +0100, Jochen Friedrich wrote:
> "Implementation of Microsoft SOAP, a protocol running over HTTP precisely
> so it could bypass firewalls, should be withdrawn. According to the
> Microsoft documentation: "Since SOAP relies on HTTP as the transport
> mechanism, and most firewalls allow HTTP to pass through, you'll have no
> problem invoking SOAP endpoints from either side of a firewall." It is
> exactly this feature-above-security mindset that needs to go. It may be
> that SOAP offers sufficient security mechanisms, proper separation of code
> and data. However, Microsoft promotes it for its security avoidance."
>
> No further comment :-)
SOAP can be carried over HTTP, SSL, SMTP, raw TCP or UDP. So basically
the problem is not in SOAP, it's in HTTP being allowed without further
testing. Actually a firewall administrator has an easier control over
a SOAP messages crossing the interface than over say Javascript embedded
into a real HTML page or something even more masked.
Wrong analysis that's not where the problem lies.
Daniel
--
Daniel Veillard | Red Hat Network https://rhn.redhat.com/
veillard redhat com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
_______________________________________________
gnome-hackers mailing list
gnome-hackers gnome org
http://mail.gnome.org/mailman/listinfo/gnome-hackers
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]