[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DotGNU]SOAP - make it secure !
From: |
Gopal.V |
Subject: |
Re: [DotGNU]SOAP - make it secure ! |
Date: |
Sat, 17 Nov 2001 16:55:58 +0530 |
User-agent: |
Mutt/1.2.5i |
Hi,
> Basically, SOAP is designed to send requests via HTTP,
> which allows it to tunnel through firewalls very easily.
> But this usurps the authority of the firewall administrator,
> who may not want active application requests moving
> across the firewall.
The whole webservices concept has evolved from the
attractivness of through the firewall operations. Look
at webmail, it evolved when POP,SMTP and UUCP was blocked
by a firewall.
Also with port-80 access problem, the most obvious idea
is to use a SQUID server to block "application/soap". Almost
all firewalled networks I know have a proxy server. This prevents
SOAP via port-80. But this method can easily be overcome by using
an HTML wrapped SOAP object or just transmitting SOAP with a *new*
mime-type (ie text/xml).
Jabber is a very good option as SOAP is a routable protocol.
Also Jabber provides that asynchronous mode of transports missing
in HTTP. And jabber handles the most difficult problem with HTTP
very efficently -> state management and multiple presences.
Arun had mentioned very early about writing a SOAP
proxy server, to filter out harmful incoming method calls.
I had started work on an this using java, but exams came and
it got dumped. I have been attacked using kxmlrpc exploits,
when browsing with konqueror, until I set up a firewall.(at
least it catches access attempts). So a root mode browser
can ``rm -rf /home'' and get away with it while you imagine
that the pop-up window is an AD.
Moral : use safe browsers like lynx and safe desktop platforms like fvwm :-)
ie any new convenience comes with a price in security.
The SOAP query url could be modified as an RLS
( refer ARCH list) and made protocol independent in
*implementation*. I think the SOAP is over http just
because http is mostly firewall-transparent.
Gopal.V
--
GNUGNU 's NN NN UU UU
GG OO \ OO NN NN
NN GNU TT \ TT II II
UUGNUGN U == == XX--XX yes, GNU's Not Unix.