Schneier worried about SOAP security
15:32, 15 Feb 2002 UTC | Edd Dumbill

Bruce Schneier has written, in the latest issue of CRYPTO-GRAM, an analysis of the security of Microsoft's products, touching on .NET and SOAP.

Speaking about SOAP, Schneier says: "It may be that SOAP offers sufficient security mechanisms, proper separation of code and data. However, Microsoft promotes it for its security avoidance."

Saying that SOAP should "be withdrawn", he quotes Microsoft:

According to the Microsoft documentation: "Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall." It is exactly this feature-above-security mindset that needs to go.

However, Schneier's comments seem to come from a standpoint of ignorance as to the current state of the development of SOAP, and are perhaps best taken together with his more general reservations about the mixing of data and program code. It certainly seems that his reaction is more to the ill-advised firewall-piercing aspect mentioned in the Microsoft documentation than to any particular aspect of the SOAP specification.

The reminder of the need for attention to security is timely, however.

Related articles:

Re: Schneier worried about SOAP security (Christian Geuer-Pollmann - 11:02, 19 Feb 2002)

I think one problem for security people who only have a short look on this technology is the "object access" in the name of the spec. They hear "object transfer", "remote method invocation without security checks" and many more evil thinks.

Generally, he's right that mixing data ind code is a real problem. Putting JavaScript etc. into XML files is a bad idea, but SOAP is not about these issues. Maybe he'll recognize this in the future ;-)

Regards, Christian

xmlhack: developer news from the XML community

Front page | Search | Find XML jobs

Related categories