Security

Slippery When Wet

Alan Cox said some nice things (question #3) about XML-RPC and SOAP, and Dave Winer responded politely. SOAP's overloading of tcp/80 is not really new; the exposure of more powerful APIs is.

Remember that "the Internet treats censorship as damage and routes around it." That's a catchy way of saying that people want to communicate, and prefer things that allow them to do so with a minimum of fuss. Firewalls, like broken routers, limit the flexibility of the environment, restricting the ability to communicate. They do this by blockading unknown ports, or by relaying both halves of the conversation, in order to achieve some semblance of control over the environment. It's known that people use tcp/80 for HTTP, so that port likely will be open. The easiest way to communicate is thus through tcp/80.

Now, this doesn't mean that firewalls are bad, or that SOAP is bad, but that an open hole will be used. Firewalls reduce your environment to a smaller set of variables. They are not the be-all and end-all of data security. So how do you secure your environment against SOAP scum? By following the same methods that you would to protect against any scum: simplify. Is it necessary to expose that API? Do you need all that clutter?

The flow of data is like water, finding any hole, no matter how small, and passing through it.

5:39:21 PM # Google It!
categories: Writing Online, Security, System Administration