Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Two things.

First of all on the server side you are talking about what could theoretically happen. I prefer talking about what I think really will happen. SOAP servers are going to get it wrong early and often.

On the client side, you completely miss my point. I don't mind the client side because I think bad clients are going to harm servers (except through things like DDoS). I mind the client side because I think that poorly coded clients will lead to a stream of client-side compromises. Allow those clients on your network, and bad guys with access to a server will manage to compromise clients, and once they have control of clients will be able to do damage inside of your network.

As you say, the browser bugs are mostly known and fixed. The existence of, say, a hole where IE will allow arbitrary code to be executed locally is rare enough that when it happened it was newsworthy. But by contrast the upcoming Word, Excel, etc bugs are not known. Let alone all of the upcoming bugs for random applications (both Windows and not) which other people are dreaming up that talk SOAP. With that diversity of clients expecting to talk over the internet from behind firewalls you can expect network compromises of the local machine to come fast and furiously until it is no more newsworthy than the latest macro virus.

Perhaps this doesn't bother you. It should. To see why, let me outline one simple scenario.

Suppose Microsoft achieves its goal. Suppose that they have some common application (eg Word or Excel) routinely connect to a passport service. Suppose further that a smart black hat discovers one remotely exploitable security hole in that client and one in the passport servers. The black hat then produces one piece of spyware, compromises passport to make it compromise every connecting client, and compromises the client to install its spyware, which can then call home through SOAP.

What kind of damage could they then do? (Stealing valuable information, industrial espionage, etc.)

Is this really how vulnerable we want our networks to be?

UPDATE
It is rather ironic that I would say good things about IE's security on today of all days...


In reply to Re (tilly) 5: SOAP::Lite dispatch routine by tilly
in thread SOAP::Lite dispatch routine by gildir

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others chanting in the Monastery: (6)
    As of 2020-11-29 04:34 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found

      Notices?