Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002

From: Daniel Veillard <veillard redhat com>
To: Jochen Friedrich <jochen scram de>
Cc: gnome-hackers gnome org
Subject: Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
Date: Fri, 15 Feb 2002 17:42:20 -0500

On Fri, Feb 15, 2002 at 10:41:14PM +0100, Jochen Friedrich wrote:
> "Implementation of Microsoft SOAP, a protocol running over HTTP precisely
> so it could bypass firewalls, should be withdrawn.  According to the
> Microsoft documentation: "Since SOAP relies on HTTP as the transport
> mechanism, and most firewalls allow HTTP to pass through, you'll have no
> problem invoking SOAP endpoints from either side of a firewall."  It is
> exactly this feature-above-security mindset that needs to go.  It may be
> that SOAP offers sufficient security mechanisms, proper separation of code
> and data.  However, Microsoft promotes it for its security avoidance."
> 
> No further comment :-)

  SOAP can be carried over HTTP, SSL, SMTP, raw TCP or UDP. So basically
the problem is not in SOAP, it's in HTTP being allowed without further
testing. Actually a firewall administrator has an easier control over
a SOAP messages crossing the interface than over say Javascript embedded
into a real HTML page or something even more masked.
  Wrong analysis that's not where the problem lies.

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

Follow-Ups:
- Re: Bruce Schneiers CRYPTO-GRAM February 15, 2002
  - From: Alan Cox

References:
- Bruce Schneiers CRYPTO-GRAM February 15, 2002
  - From: Jochen Friedrich

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]