httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ICS.UCI.EDU>
Subject Re: Simple Object Access Protocol
Date Sun, 07 Nov 1999 02:29:43 GMT
>what exactly is "web information" ?  i can put whatever i want on a "web
>page".  information is just bits.  what you're saying sounds a lot like
>saying fetching porn is a security hole which firewall vendors should be

Nonsense.  What I said was that enabling SOAP on a web server allows
non-web (i.e., not specifically authorized for external transfer)
application information (like that stored in any COM-enabled database)
to be automatically tunnelled through port 80 based on whatever defaults
Microsoft happens to define.  Firewalls are set up to disallow accidental
transfer of application information across network boundaries.  SOAP exists
to get through them, based on the theory that firewalls are too difficult
to administer and therefore users should work around them by default
instead of simply reconfiguring the firewall.  This is no different than
any other gateway module *except* that the internal side (COM) is blissfully
unaware of security and there is no established norm (such as path info)
for distinguishing what will be made public via the gateway.

My point was that, aside from the above, SOAP is just an inefficient form
of RPC.  There is nothing stopping people from using more efficient forms
of RPC through port 80, so the security hole already exists if you have
a willing application on the host.  SOAP just provides people with a
built-in willing host that will be installed by default just like all the
other MS sharing applications.  Making it look like an HTTP POST request
with an XML content-type instead of XDR parameters is just sugar coating
that will only be "useful" until firewall developers start doing content
filtering on port 80, which they will have to do because that is why
firewalls exist.


View raw message