Re: [DotGNU]SOAP - make it secure !

dotgnu-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DotGNU]SOAP - make it secure !

From:	Gopal.V
Subject:	Re: [DotGNU]SOAP - make it secure !
Date:	Sat, 17 Nov 2001 16:55:58 +0530
User-agent:	Mutt/1.2.5i

Hi,
> Basically, SOAP is designed to send requests via HTTP,
> which allows it to tunnel through firewalls very easily.
> But this usurps the authority of the firewall administrator,
> who may not want active application requests moving
> across the firewall.
        The whole webservices concept has evolved from the 
attractivness of through the firewall operations. Look
at webmail, it evolved when POP,SMTP and UUCP was blocked
by a firewall.
        
        Also with port-80 access problem, the most obvious idea
is to use a SQUID server to block "application/soap". Almost
all firewalled networks I know have a proxy server. This prevents
SOAP via port-80. But this method can easily be overcome by using
an HTML wrapped SOAP object or just transmitting SOAP with a *new*
mime-type (ie text/xml).

        Jabber is a very good option as SOAP is a routable protocol.
Also Jabber provides that asynchronous mode of transports missing
in HTTP. And jabber handles the most difficult problem with HTTP
very efficently -> state management and multiple presences.

        Arun had mentioned very early about writing a SOAP
proxy server, to filter out harmful incoming method calls.
I had started work on an this using java, but exams came and
it got dumped. I have been attacked using kxmlrpc exploits, 
when browsing with konqueror, until I set up a firewall.(at 
least it catches access attempts). So a root mode browser 
can ``rm -rf /home'' and get away with it while you imagine 
that the pop-up window is an AD. 

Moral : use safe browsers like lynx and safe desktop platforms like fvwm :-)
                ie any new convenience comes with a price in security.

        The SOAP query url could be modified as an RLS 
( refer ARCH list) and made protocol independent in 
*implementation*. I think the SOAP is over http just
because http is mostly firewall-transparent.

Gopal.V
-- 
GNUGNU  's   NN    NN  UU    UU
GG           OO \  OO  NN    NN
NN    GNU    TT  \ TT  II    II 
UUGNUGN U    ==    ==   XX--XX    yes, GNU's Not Unix.

[Prev in Thread]

Current Thread

[Next in Thread]

[DotGNU]Web Services - More Secure or Less?, Bill Lance, 2001/11/16
- Re: [DotGNU]Web Services - More Secure or Less?, Rhys Weatherley, 2001/11/16
  - Re: [DotGNU]Web Services - More Secure or Less?, Adam Theo, 2001/11/16
    - Re: [DotGNU]SOAP + Jabber = a GPL (jabber server + security filter), Gopal.V, 2001/11/17
  - Re: [DotGNU]SOAP - make it secure !, Gopal.V <=

Prev by Date: Re: [DotGNU]P2P IM services (was: IM Services)
Next by Date: Re: [DotGNU]IM services ?
Previous by thread: Re: [DotGNU]SOAP + Jabber = a GPL (jabber server + security filter)
Next by thread: [DotGNU]Portable.NET 0.2.4 and pnetlib 0.0.8 released
Index(es):
- Date
- Thread