29 Jun 2000
Microsoft is championing a protocol for cross-platform communication that can bypass firewall defences and could leave companies open to what experts describe as a fresh class of security vulnerabilities.
The Simple Object Access Protocol, or Soap, specifies how to encode an HTTP header and an XML (eXtensible Markup Language) file so that a program in one computer can call a program in another computer and pass it information.
It also defines how the called program can return a response.
On its developers' website, Microsoft promotes Soap as a means for application developers to get around the 'limitations' set in place by administrators.
But experts warn that this opens up security risks.
A white paper on Soap on the site states that firewalls currently make it difficult for distributed object protocols to function. These include DCOM (Distributed Component Object Model), Microsoft's object model for enabling Windows-based components to communicate with each other.
"Currently, developers struggle to make their distributed applications work across the internet when firewalls get in the way. Since most firewalls block all but a few ports, all of today's distributed object protocols like DCOM suffer because they rely on dynamically assigned ports for remote method invocations," the white paper states.
Bruce Schneier, founder and chief technology officer of Counterpane Internet Security, said that allowing powerful protocols such as DCOM to work over the internet instead of restricting it to closely administered server farms is asking for trouble.
"Soap is going to open up a whole new avenue for security vulnerabilities," said Schneier. "Firewalls have good reasons for blocking protocols like DCOM coming from untrusted sources. Protocols that sneak them through are not what's wanted."
Don Box, co-author of the Soap specification, said that Soap calls would be clearly defined by a HTTP header, which could be filtered. "Soap calls look like pornography to a firewall administrator and he can selectively let these in or prohibit them," said Box, adding that Soap traffic could be filtered even though firewalls are not Soap-aware.
Have your say on this article
Newsletters
Latest stories from Hacking
Latest videos
You may also like
Hacking jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
