Article:		In a Lather About Security
Subject:		Overloading application level protocols considered harmful?
Date:		2002-02-28 02:59:57
From:		Toni Lassila
I agree putting SOAP on top of HTTP/port 80 to circumvent firewalls is a lame idea. Developers would be wise to run different SOAP services on different ports alltogether, but at least the quoted bits had the mindset of "developers don't care one bit about security". And the difficulty of preventing SOAP calls through port 80 makes enforcing this policy hard. But if SOAP-over-HTTP is such a surefire Internet killer secadmins claim it is, why aren't the various protocols tunneled over SSL/port 443 considered a similar risk? After all, that traffic could be HTTP, it could be SMTP or maybe FTP or who knows what the developers invented. It could even be *gasp* SOAP!

Previous Message

Next Message