[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DotGNU]SOAP - make it secure !

From: Gopal.V
Subject: Re: [DotGNU]SOAP - make it secure !
Date: Sat, 17 Nov 2001 16:55:58 +0530
User-agent: Mutt/1.2.5i

> Basically, SOAP is designed to send requests via HTTP,
> which allows it to tunnel through firewalls very easily.
> But this usurps the authority of the firewall administrator,
> who may not want active application requests moving
> across the firewall.
        The whole webservices concept has evolved from the 
attractivness of through the firewall operations. Look
at webmail, it evolved when POP,SMTP and UUCP was blocked
by a firewall.
        Also with port-80 access problem, the most obvious idea
is to use a SQUID server to block "application/soap". Almost
all firewalled networks I know have a proxy server. This prevents
SOAP via port-80. But this method can easily be overcome by using
an HTML wrapped SOAP object or just transmitting SOAP with a *new*
mime-type (ie text/xml).

        Jabber is a very good option as SOAP is a routable protocol.
Also Jabber provides that asynchronous mode of transports missing
in HTTP. And jabber handles the most difficult problem with HTTP
very efficently -> state management and multiple presences.

        Arun had mentioned very early about writing a SOAP
proxy server, to filter out harmful incoming method calls.
I had started work on an this using java, but exams came and
it got dumped. I have been attacked using kxmlrpc exploits, 
when browsing with konqueror, until I set up a firewall.(at 
least it catches access attempts). So a root mode browser 
can ``rm -rf /home'' and get away with it while you imagine 
that the pop-up window is an AD. 

Moral : use safe browsers like lynx and safe desktop platforms like fvwm :-)
                ie any new convenience comes with a price in security.

        The SOAP query url could be modified as an RLS 
( refer ARCH list) and made protocol independent in 
*implementation*. I think the SOAP is over http just
because http is mostly firewall-transparent.

GNUGNU  's   NN    NN  UU    UU
GG           OO \  OO  NN    NN
NN    GNU    TT  \ TT  II    II 
UUGNUGN U    ==    ==   XX--XX    yes, GNU's Not Unix.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]