OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] The sky is falling! XML's dirty secret! Go back! It's a

[ Lists Home | Date Index | Thread Index ]

I understand the "knowing where to look" in terms 
of securing a system by knowing what it's vulnerabilities 
are.  I can't find any article that states 
definitively if XML helps the cracker (is it a vulnerability 
by nature exploitable by a malicious agent, 
not by ignorance (a person transmitting unencrypted 
data, a person leaving XML files "in the open")). 

So far, I've seen no evidence that XML makes it easier 
to crack the encryption; just that once it is cracked, 
it is easier to understand, which is of course, why 
markup is used anyway.  The article referenced in the 
referenced article has gone bye bye.

Given the long history of Internet specs for producing 
insecure systems, one would think someone would have 
a definitive answer but given the rush to adopt 
Internet technology, maybe not.  The sky is always 
falling on the web. ;-)


From: Rich Salz [mailto:rsalz@datapower.com]

> If the answer is, experts disagree, there is liability and a 
> real problem to be solved somewhere.  That there are costs 
> is assumed.

So far, the only XML-specific risks I've heard about are various attacks 
on Unicode[1].  I think most security people assume that the bad guys 
know what they're looking for (except perhaps Carnivore :), so it 
doesn't matter if the data is XML, ASCII, or private extension fields in 

 > XML posits that we all drive the same car and
> so will be equally liable.

Not really; it's more like specifying standard positions for the 
steering wheel, gas pedal, etc.  As I said:  knowing where to look.

[1] http://www.counterpane.com/crypto-gram-0007.html#9


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS