W3C home > Mailing lists > Public > public-ws-addressing@w3.org > March 2005

Re: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- HTTP/1.1Re: Minutes of the Web Services Addressing / TAG joint meeting

From: Rich Salz <rsalz@datapower.com>
Date: Mon, 07 Mar 2005 10:16:22 -0500
Message-ID: <422C7046.8090206@datapower.com>
To: noah_mendelsohn@us.ibm.com
CC: Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org>

> Makes sense, thanks.  I would still expect that anyone messing with your 
> HTTP Request-URI is likely to cause at the very least denial of service 
> due to message misrouting, except in the very particular case that the 
> intruder has a hook at the receiving end after the message is delivered. 

Yes, you'd expect a DoS.  You could notice this if you got at least a 
signed ACK back from the server, even in the case of a one-way MEP.  If 
you truly want a "no response" back from the server, then you could 
protect yourself at the transport layer by using SSL, which would 
prevent your special case of man-in-the-middle attack.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
Received on Monday, 7 March 2005 15:15:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:04 GMT