Lists Home |
Date Index |
Joshua Allen wrote:
> Like when I create a PPTP tunnel over the Internet to dial in to my corporate account?
We're talking about application protocols. They have semantics.
> I will boil your long argument down to this: you claim that HTTP in
> a REST model is secure,
Security is not a boolean property. Architectures and standards promote
or hurt the likelihood of secure implementations.
> ... because an admin can trust that a GET does not modify
> resources, and he can control access to other more
> "dangerous" verbs.
It isn't one thing. Idempotent GET is just an example. It is in general
about making the message's meaning known to the firewall explicitly by:
a) choosing a unique port
b) having a consistent, simple structure
c) having well-defined semantics
d) having a transparent addressing model
SOAP scores poorly on all of these criteria. It flouts all Internet
protocol labeling conventions.
Does that mean that SOAP is "insecure?" No. Does it mean that SOAP will
exact a higher price in terms of break-ins and product prices than it
otherwise would. I think so. Time will tell.