RE: XML Protocols Shakedown from Wetzel, Baylor on 2000-05-22 (xml-dist-app@w3.org from May 2000)

From: Wetzel, Baylor <Baylor.Wetzel@bestbuy.com>
Date: Mon, 22 May 2000 18:53:34 -0500
To: xml-dist-app@w3.org
Message-ID: <1D97DF8321C5D311A54D0008C791DAF80131F85C@cs12mail.bestbuy.com>

>>> Help me, please, to understand how this is specific to XML schemas.
>>
>>it is'nt ...   [i certainly don't think it is. -b]
>
>It sounds like a general claim for security-through-obscurity, maybe on the
>basis that shared 'anything with semantics' is dangerous.

not sure i understand the security through obscurity part - while i'm one of
the whiners about SOAP security, i never thought to base my objections on
the schema itself. Although i certainly prefer that people not know the RPC
format (SOAP IDL) for my servers. But i would hardly rely on that as my only
protection from fraud

i don't see "anything with semantics" being dangerous - it is possible
(although not nearly as likely) to grab socket data with a sniffer and
reconstruct a message format or, beyond semantics, just take traces and play
them back, possibly just fiddling with a few bits. The semantics is hardly
the dangerous part. It's the letting strangers on the Internet invoke random
functions on your server that's the problem, be it with SOAP, XML-RPC, RDS,
IIOP, DCOM-over-IP, FTP, etc.

That having been said, i suppose it's possible that a SOAP implementation is
flawed in some really dangerous way. Remember when you could send email to
someone and include a line that automatically executed a shell command with
the user's uid? What if you could rig a SOAP header field to contain a
command that the SOAP(XML)  parser executed rather than parsed. If such a
situation occurred, i suppose that could be a critique of the schema or
parser

Was there someone who was arguing that the schema itself is inherently
insecure?

-b
----------------------------------------------------------------------------
----------------------------------
baylor
software poet and ai guy
Best Buy->IS->EIC->Enterprise Architecture & Integration
Area: artificial intelligence, system integration, object modeling, system
architecture, R&D
Research Area: virtual employees (virtual sales agents, customer service
reps, etc.)
"If you don't pay attention to every little detail, you miss most of the
jokes"
> Direct:  612.324.0445
<fnord>

Received on Monday, 22 May 2000 19:53:36 UTC