OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: SOAP, plague, love

[ Lists Home | Date Index | Thread Index ]
  • From: Tim Bray <tbray@textuality.com>
  • To: <xml-dev@xml.org>
  • Date: Sat, 06 May 2000 10:19:24 -0700

At 07:54 AM 5/6/00 -0700, Dave Winer wrote:
>>>It's unfortunate Microsoft doesn't consider that an issue.
>You don't know that, in fact I'm sure they do consider all these things
>... They're
>just people. Many of them are also good technologists, as good as you or I.
>Let's give them a chance to do the right thing.

Well yes, but in this case, they released a scriptable email client full of 
trap-doors and gotchas to the entire world, and encouraged people with 
direct internet connections to use it.  Given that this error has now put
the world through several spells of extreme viral nastiness, it seems to me 
a reasonable reaction to shriek in horror and assert that one way to avoid 
nastiness like that of the last week is to avoid the use of broken email 

Several people I know who are smart but lack a deep understanding of things
like firewalls and Windows Scripting Host have been using Outlook because
that's what came with the machine; and have been hurt.  So when something
new like XML-RPC/Soap comes along, I think it's perfectly reasonable for
journalists and analysts, who (surprise, surprise) may not be that deep
in their technical perceptions, to ask hard questions to discover what (if 
any) vulnerabilities this opens up.

The answer is: SOAP/XML-RPC can (and will) be used to implement things in 
stupid ways that leave security holes; just like their moral equivalents,
the CGI scripts of the world.  But, unlike for example Outlook, using SOAP
in the default way as as provided out of the box is not guaranteed to make
your computer vulnerable to vicious attacks by bored teenagers. -Tim

This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS