Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002

On Fri, Feb 15, 2002 at 10:41:14PM +0100, Jochen Friedrich wrote:
> "Implementation of Microsoft SOAP, a protocol running over HTTP precisely
> so it could bypass firewalls, should be withdrawn.  According to the
> Microsoft documentation: "Since SOAP relies on HTTP as the transport
> mechanism, and most firewalls allow HTTP to pass through, you'll have no
> problem invoking SOAP endpoints from either side of a firewall."  It is
> exactly this feature-above-security mindset that needs to go.  It may be
> that SOAP offers sufficient security mechanisms, proper separation of code
> and data.  However, Microsoft promotes it for its security avoidance."
> No further comment :-)

  SOAP can be carried over HTTP, SSL, SMTP, raw TCP or UDP. So basically
the problem is not in SOAP, it's in HTTP being allowed without further
testing. Actually a firewall administrator has an easier control over
a SOAP messages crossing the interface than over say Javascript embedded
into a real HTML page or something even more masked.
  Wrong analysis that's not where the problem lies.


Daniel Veillard      | Red Hat Network
veillard redhat com  | libxml Gnome XML XSLT toolkit | Rpmfind RPM search engine

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]