Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002

> the problem is not in SOAP, it's in HTTP being allowed without further
> testing. Actually a firewall administrator has an easier control over
> a SOAP messages crossing the interface than over say Javascript embedded

Unfortunately everyone uses HTTPS to prevent this, and while http/https
were designed right conceptually, there are no IE or mozilla modules to
support the https sessions being driven the proxy not the browser and
using a single authenticated session to the trusted proxy

In practical terms it makes SOAP the perfect way to steal arbitary
documents, second only to irc

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]