Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002

From: Alan Cox <alan redhat com>
To: veillard redhat com
Cc: jochen scram de (Jochen Friedrich), gnome-hackers gnome org
Subject: Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
Date: Fri, 15 Feb 2002 17:51:21 -0500 (EST)

> the problem is not in SOAP, it's in HTTP being allowed without further
> testing. Actually a firewall administrator has an easier control over
> a SOAP messages crossing the interface than over say Javascript embedded

Unfortunately everyone uses HTTPS to prevent this, and while http/https
were designed right conceptually, there are no IE or mozilla modules to
support the https sessions being driven the proxy not the browser and
using a single authenticated session to the trusted proxy

In practical terms it makes SOAP the perfect way to steal arbitary
documents, second only to irc

Follow-Ups:
- Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
  - From: Daniel Veillard

References:
- Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]