OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]
  • To: "Mike Champion" <mc@xegesis.org>,<xml-dev@lists.xml.org>
  • Subject: RE: [xml-dev] SOAP-RPC and REST and security
  • From: "Dare Obasanjo" <dareo@microsoft.com>
  • Date: Tue, 19 Feb 2002 23:41:15 -0800
  • Thread-index: AcG5x5NV0UXkHlMjRmqAZmrDV88UWgAGLaAQ
  • Thread-topic: [xml-dev] SOAP-RPC and REST and security

> -----Original Message-----
> From: Mike Champion [mailto:mc@xegesis.org] 
> Sent: Tuesday, February 19, 2002 7:23 PM
> To: xml-dev@lists.xml.org
> Subject: [xml-dev] SOAP-RPC and REST and security
> One more issue on RPC vs REST -- security.
> I'm not sure this is a differentiator, but consider this section of 
> http://www.counterpane.com/crypto-gram-0202.html#2
> "And one of the simplest, strongest, and safest models is to 
> enforce a rigid separation 
> of data and code. The commingling of data and code is 
> responsible for a great many 
> security problems...

Ahhh I see, so he has a problem with the Von Neumann architecture? I
wonder what kind of machine he uses at home then. :)

> One could surely argue that REST *does* rigidly separate code 
> from data, and I can't see 
> offhand how a Melissa-esque worm could spread via a REST web 
> service.  

Melissa was an email worm that spread by having people open a word
document with a macro in it. I fail to see what Melissa has to do with
web services (or worms for that matter). 

> So, what's the current thinking about SOAP-RPC as a security 
> risk in *plausible* 
> scenarios where business services are exposed via SOAP?  And 
> is it generally accepted 
> that a REST-ful worm couldn't happen, or is this wishful 
> thinking on my part?   

I fail to see how REST prevents worms from occuring. Most of the major
web worms have spread by exploiting buffer overflow bugs in server
software. I fail to see how REST suddenly magicks that away. 

I will not turn into a snake. It never helps.


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS