Re: [DotGNU]Web Services - More Secure or Less?

[Rhys Weatherley]

Bill Lance wrote:

> This may eventually be an issue with dotgnu  ..  port
> usage.
>
> http://slashdot.org/askslashdot/01/11/14/2024200.shtml

Yes, this definitely will be an issue if we support SOAP,
which we will probably have to in Portable.NET at least,
for Microsoft bug-compatibility.

Basically, SOAP is designed to send requests via HTTP,
which allows it to tunnel through firewalls very easily.
But this usurps the authority of the firewall administrator,
who may not want active application requests moving
across the firewall.

This is a common problem with many of the more recent
protocols that have been designed by "The Web must be
cool because it looks pretty" crowd.  Firewalls get it their
way, so they route around them without thinking about
the broader problems.

I remember when the "Internet Printing Protocol" first
came out, there was an Internet Draft that someone wrote
criticizing IPP's use of HTTP to tunnel past firewalls for
just this reason.  It was a very good discussion of why
tunnelling in this fashion is a stupid idea.  Unfortunately,
it has long since expired, so I don't have a URL for it.

Anyway, we can probably deal with it by providing an
alternative transport for SOAP messages.  Instead of
sending them via HTTP on port 80, we could supply an
option to send them via some other well-known port.
SOAP is actually transport-independent to some degree.
This would give firewall administrators their control back.
However, I'm not too sure how effective this would
be unless lots of other vendors adopted the same port.

Cheers,

Rhys.