Re: Soap - Was RPCs over HTTPS through the firewall

[Chuck Swiger <chuck () codefab com>]

Marcus J. Ranum wrote:
[ ... ]
> No concerns - Soap is from Microsoft, so it's OK.
> Remember, Microsoft got serious about security last year, and fixed
> all the flaws in thier code. I think they spent a whole month or something
> like that doing it. I'm sure that Soap's fine, now.

Absolutely: remember, keeping one's sense of humor with regard to 
Microsoft security is an important skill for members of this list.

I was going to observe that even Unix-based RPC has had a terrible 
history, by which I mean problems with portmap, NFS, pretty much every 
CDE-based service I've heard of (cmsd?), rpc.lockd, etc.

I believe Microsoft recently said that they weren't going to even try to 
fix the security problems with the RPC service locator for WinNT, their 
equivalent of portmap.  All of this being said, I haven't really even 
looked at SOAP, so whether the history of other forms of RPC-- or of 
Microsoft software-- is relevant to Mason's case is another question.

--
-Chuck

PS: I was wondering how to phrase the notion that there is approximately 
100% correlation between the history of something, and the current 
status of that thing.  :-)

I was taught to write software in an academic environment where a 
program that crashed got a failing grade, period.  You were given test 
cases and the correct results your program should produce, but your code 
would be run against other data (quite possibly randomized per student) 
that you didn't have.  Your program either ran and got the correct 
answers, ran and made mistakes, or failed to run.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards