Security Basics mailing list archives

RE: RPC over HTTP security

From: Shawn Wall <sjwall () shaw ca>
Date: Fri, 28 Jan 2005 14:12:29 -0700

I think your best option is to use a VPN to allow your mobile users access
to email if they require the functionality of Outlook vs OWA. I've deployed
this configuration using a PIX and Cisco VPN client. Works very well.

shawn 

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm () ornl gov] 
Sent: Friday, January 28, 2005 6:19 AM
To: Ansgar -59cobalt- Wiechers; security-basics () securityfocus com
Subject: RE: RPC over HTTP security

Ansgar,

Answers to your questions.

1)  Because the functionality of RPC over HTTP(S) is a great benefit to
mobile users.
2)  It doesn't.  However, by "bloating" the protocol so it will work over
HTTP, I have also "bloated" the protocol to allow it to work over HTTPS.
This allows me to secure the traffic.

Lets now look at RPC.  What are the major vulnerabilities of RPC?  RPC does
not authenticate prior to allowing the connection to proceed.  Many of the
RPC vulnerabilities would be neutered if RPC was force to authenticate prior
to making the connection.  RPC over HTTP solves this problem by forcing
authentication.  When I add HTTPS to this senario, I have secured my
credentials while they are in an untrusted environment and provided
authentication prior to allowing RPC to proceed.  The RPC traffic is also
passed through the SSL tunnel providing end-to-end security.

Dennis

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: Wednesday, January 26, 2005 8:22 PM
To: security-basics () securityfocus com
Subject: Re: RPC over HTTP security

On 2005-01-26 sf_mail_sbm () yahoo com wrote:

We are thinking about deploying RPC over HTTP to access email from the 
Internet


Ask yourself two questions:

1. Why does nobody in his right mind do RPC over untrusted networks?
2. How does bloating a protocol by encapsulating it in plain-text make
   it any better?

Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety deserve
neither liberty nor safety, and will lose both."
--Benjamin Franklin

Current thread:

RE: RPC over HTTP security, (continued)
- RE: RPC over HTTP security Michael B. Morell (Jan 27)
- RE: RPC over HTTP security LordInfidel (Jan 27)
  - RE: RPC over HTTP security Robert Hines (Jan 28)
- RE: RPC over HTTP security Kevin Doheny (Jan 28)
- RE: RPC over HTTP security Paris E. Stone (Jan 28)
- RE: RPC over HTTP security Price, Robert H (Jan 28)
- RE: RPC over HTTP security Eric McCarty (Jan 28)
  - RE: RPC over HTTP security Shawn Wall (Jan 28)
    - RE: RPC over HTTP security Sarbjit Singh Gill (Jan 31)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 28)
  - RE: RPC over HTTP security Shawn Wall (Jan 31)
- RE: RPC over HTTP security Killian Doyle (Jan 28)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 28)
- Re: RPC over HTTP security sf_mail_sbm (Jan 28)
- RE: RPC over HTTP security Eric McCarty (Jan 31)
- RE: RPC over HTTP security Beauford, Jason (Jan 31)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 31)
- RE: RPC over HTTP security LordInfidel (Jan 31)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 31)
- RE: RPC over HTTP security James McGee (Jan 31)
  - RE: RPC over HTTP security Shawn Wall (Jan 31)

(Thread continues...)