VNU Net: Soap could slip up on securityJun 21, 2000, 09:08 (11 Talkback[s])
(Other stories by John Leyden)
By John Leyden, VNU Net
Microsoft is championing a protocol for cross-platform communication that can bypass firewall defences and could leave companies open to what experts describe as a fresh class of security vulnerabilities.
The Simple Object Access Protocol, or Soap, specifies how to encode an HTTP header and an XML (eXtensible Markup Language) file so that a program in one computer can call a program in another computer and pass it information. It also defines how the called program can return a response.
On its developers' website, Microsoft promotes Soap as a means for application developers to get around the 'limitations' security administrators have set in place. But experts have warned that this opens up numerous security risks.
A white paper on Soap on the developers' site states that firewalls currently make it difficult for distributed object protocols to function. These include DCOM (Distributed Component Object Model), Microsoft's object model for enabling Windows-based components to communicate with each other.
"Currently, developers struggle to make their distributed applications work across the internet when firewalls get in the way. Since most firewalls block all but a few ports, such as the standard HTTP port 80, all of today's distributed object protocols like DCOM suffer because they rely on dynamically assigned ports for remote method invocations," the white paper states.
Bruce Schneier, founder and chief technology officer of Counterpane Internet Security, said that allowing powerful protocols such as DCOM to work over the internet instead of restricting it to closely administered server farms is asking for trouble.
"Soap is going to open up a whole new avenue for security vulnerabilities," said Schneier. "Firewalls have good reasons for blocking protocols like DCOM coming from untrusted sources. Protocols that sneak them through are not what's wanted."
Don Box, co-author of the Soap specification, said that Soap calls would be clearly defined by a HTTP header, which could be filtered against.
"Soap calls look like pornography to a firewall administrator and he can selectively let these in or prohibit them," said Box, who added that Soap traffic could be filtered even though firewalls are not Soap-aware.
Richard Stagg, senior security architect at Information Risk Management, argued that this approach does not wash.
Selectively blocking Soap calls gives far less control at a firewall than that achieved by filtering different protocols of internet traffic, he said.
Schneier warned: "Because no security is required in either HTTP, XML or Soap, it's a pretty simple bet that different people will bungle any embedded security in different ways, leading to different holes on different implementations."
Microsoft is banking on Soap, which is going through the World Wide Web Consortium's standards process, as a cross-platform XML technology that will fit into Next Generation Windows Services.