---

VNU Net: Soap could slip up on security

By John Leyden, VNU Net

Microsoft is championing a protocol for cross-platform
communication that can bypass firewall defences and could leave
companies open to what experts describe as a fresh class of
security vulnerabilities.

The Simple Object Access Protocol, or Soap, specifies how to
encode an HTTP header and an XML (eXtensible Markup Language) file
so that a program in one computer can call a program in another
computer and pass it information. It also defines how the called
program can return a response.

On its developers’ website, Microsoft promotes Soap as a means
for application developers to get around the ‘limitations’ security
administrators have set in place. But experts have warned that this
opens up numerous security risks.

A white paper on Soap on the developers’ site states that
firewalls currently make it difficult for distributed object
protocols to function. These include DCOM (Distributed Component
Object Model), Microsoft’s object model for enabling Windows-based
components to communicate with each other.

“Currently, developers struggle to make their distributed
applications work across the internet when firewalls get in the
way. Since most firewalls block all but a few ports, such as the
standard HTTP port 80, all of today’s distributed object protocols
like DCOM suffer because they rely on dynamically assigned ports
for remote method invocations,” the white paper states.

Bruce Schneier, founder and chief technology officer of
Counterpane Internet Security, said that allowing powerful
protocols such as DCOM to work over the internet instead of
restricting it to closely administered server farms is asking for
trouble.

“Soap is going to open up a whole new avenue for security
vulnerabilities,” said Schneier. “Firewalls have good reasons for
blocking protocols like DCOM coming from untrusted sources.
Protocols that sneak them through are not what’s wanted.”

Don Box, co-author of the Soap specification, said that Soap
calls would be clearly defined by a HTTP header, which could be
filtered against.

“Soap calls look like pornography to a firewall administrator
and he can selectively let these in or prohibit them,” said Box,
who added that Soap traffic could be filtered even though firewalls
are not Soap-aware.

Richard Stagg, senior security architect at Information Risk
Management, argued that this approach does not wash.

Selectively blocking Soap calls gives far less control at a
firewall than that achieved by filtering different protocols of
internet traffic, he said.

Schneier warned: “Because no security is required in either
HTTP, XML or Soap, it’s a pretty simple bet that different people
will bungle any embedded security in different ways, leading to
different holes on different implementations.”

Microsoft is banking on Soap, which is going through the World
Wide Web Consortium’s standards process, as a cross-platform XML
technology that will fit into Next Generation Windows Services.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis