Feb 28 2002
Counterpane: Crypto-Gram: February 15, 2002:
Counterpane: Crypto-Gram: February 15, 2002: “Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: “Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you’ll have no problem invoking SOAP endpoints from either side of a firewall.” It is exactly this feature-above-security mindset that needs to go. It may be that SOAP offers sufficient security mechanisms, proper separation of code and data. However, Microsoft promotes it for its security avoidance.“
Bruce Schneier wrote that in his monthly “Crypto-Gram” newsletter. He’s basically saying, “services are port on ports for a reason, so that firewalls can selectively turn off services.” On of the reasons I’ve been so quick to embrace SOAP and XML-RPC is because they run on port 80, which means I won’t get locked out by a restrictive firewall / proxy server. For all intents, SOAP and XML-RPC are firewall-killers.
This is one of those areas will I’ll maintain my hypocrisy, on one hand, I agree with Bruce, these new protocols defy existing security models, on the other hand, I’ll use them constantly (defying security models). In the end, guys like Bruce need to start suggesting ways to enforce security in a world of ever-changing port 80 protocols. There’s more than just HTML flowing over that simple little port.
