Comments: Message is the Center

Hmmm, what is a message?

Okay, I'm showing off here, wanting to sound profoundly wise like a kind of pundit.

Essentially I'm asking "What is it that you want to protect". And I'm pretty sure that you don't just want to protect (whatever that may mean) the message (whatever that may mean).

Posted by Twan at May 2, 2007 05:48 PM

In what way is a REST over SSL application insecure?

Posted by James A. Donald at May 3, 2007 04:42 PM

Twan - SOAP says a message is
"A SOAP message is specified as an XML infoset whose comment, element, attribute, namespace and character information items are able to be serialized as XML 1.0. "
(http://www.w3.org/TR/soap12-part1/)

James - A number of ways, but the main one we are talking about is that whatever foo you have bundled in the REST r/r (identity tokens, sensitive data) is vulnerable if and when SSL is terminated. In your standard corporate data center for example with leveraged infrastructure the SSL is terminated at the outer edge. Of course if you value integrity, SSL doesn't help you there either.

REST/SOA Apps are integrated across hops, so the security model should not be point to point in most cases.

Posted by Gunnar at May 3, 2007 05:34 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55ae2b722c30) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.