Lists Home |
Date Index |
I understand the "knowing where to look" in terms
of securing a system by knowing what it's vulnerabilities
are. I can't find any article that states
definitively if XML helps the cracker (is it a vulnerability
by nature exploitable by a malicious agent,
not by ignorance (a person transmitting unencrypted
data, a person leaving XML files "in the open")).
So far, I've seen no evidence that XML makes it easier
to crack the encryption; just that once it is cracked,
it is easier to understand, which is of course, why
markup is used anyway. The article referenced in the
referenced article has gone bye bye.
Given the long history of Internet specs for producing
insecure systems, one would think someone would have
a definitive answer but given the rush to adopt
Internet technology, maybe not. The sky is always
falling on the web. ;-)
From: Rich Salz [mailto:firstname.lastname@example.org]
> If the answer is, experts disagree, there is liability and a
> real problem to be solved somewhere. That there are costs
> is assumed.
So far, the only XML-specific risks I've heard about are various attacks
on Unicode. I think most security people assume that the bad guys
know what they're looking for (except perhaps Carnivore :), so it
doesn't matter if the data is XML, ASCII, or private extension fields in
> XML posits that we all drive the same car and
> so will be equally liable.
Not really; it's more like specifying standard positions for the
steering wheel, gas pedal, etc. As I said: knowing where to look.