Open source developer web site Advogato has been discussing SOAP, in response to Bruce Schneier's concerns about its security.
What concerns security expert Schneier is the ability of SOAP to penetrate firewalls:
Firewalls have good reasons for blocking protocols like DCOM coming from untrusted sources. Protocols that sneak
them through are not what's wanted.
In the Advogato discussion, SOAP finds few friends save for Frederick Lundh, an implementor of both XML-RPC and SOAP libraries for Python. He writes:
in practice, SOAP is nothing more than an embellished CGI request ... that's no different from a CGI form ... if there's a hole in the *underlying* software, someone will come up with a
way to use that. nothing new here.
Despite the conscious move away from pure HTTP transport in the most recent version (1.1) of the SOAP specification, it seems that SOAP's firewall-penetrating RPC possibilities remain one of its most dominating features, either for or against.
Jon Zeppieri notes that SOAP is larger than just RPC and that we will need new levels of security to deal with it:
The problem isn't that SOAP somehow magically makes HTTP (the actual protocol) less secure than
it has always been, but that it is a considerably more sophisticated use of HTTP and therefore
requires a more sophisticated security model than the one we normally apply to HTTP traffic. I
think that is what Schneier is reacting to: letting distributed objects play in the security space that
we normally reserve for simple document retrieval and catalog sales is not smart.
|