Lists Home |
Date Index |
- To: "Mike Champion" <firstname.lastname@example.org>,<email@example.com>
- Subject: RE: [xml-dev] SOAP-RPC and REST and security
- From: "Dare Obasanjo" <firstname.lastname@example.org>
- Date: Tue, 19 Feb 2002 23:41:15 -0800
- Thread-index: AcG5x5NV0UXkHlMjRmqAZmrDV88UWgAGLaAQ
- Thread-topic: [xml-dev] SOAP-RPC and REST and security
> -----Original Message-----
> From: Mike Champion [mailto:email@example.com]
> Sent: Tuesday, February 19, 2002 7:23 PM
> To: firstname.lastname@example.org
> Subject: [xml-dev] SOAP-RPC and REST and security
> One more issue on RPC vs REST -- security.
> I'm not sure this is a differentiator, but consider this section of
> "And one of the simplest, strongest, and safest models is to
> enforce a rigid separation
> of data and code. The commingling of data and code is
> responsible for a great many
> security problems...
Ahhh I see, so he has a problem with the Von Neumann architecture? I
wonder what kind of machine he uses at home then. :)
> One could surely argue that REST *does* rigidly separate code
> from data, and I can't see
> offhand how a Melissa-esque worm could spread via a REST web
Melissa was an email worm that spread by having people open a word
document with a macro in it. I fail to see what Melissa has to do with
web services (or worms for that matter).
> So, what's the current thinking about SOAP-RPC as a security
> risk in *plausible*
> scenarios where business services are exposed via SOAP? And
> is it generally accepted
> that a REST-ful worm couldn't happen, or is this wishful
> thinking on my part?
I fail to see how REST prevents worms from occuring. Most of the major
web worms have spread by exploiting buffer overflow bugs in server
software. I fail to see how REST suddenly magicks that away.
THINGS TO DO IF I BECOME AN EVIL OVERLORD #34
I will not turn into a snake. It never helps.