[via Scripting News, from Slashdot] Alan Cox [Mr. Linux Kernel] said in an interview: "The more dangerous parts of all this are not so much .NET but chunks of the model that not only the .NET product and the Java standards rely on. Things like XML-RPC, SOAP and the stuff on top of them are designed to 'interwork through firewalls'. A better phrase would be 'go through the firewall like a knife through butter in a way that prevents the companies involved monitoring the activity.'"
Interesting point. As far as I know, HTTP is the thing that traverses the firewall. SOAP is only the payload.
Let's simply imagine the following: how about a piece of software that tunnels data, for example IP packets, via HTTP (no SOAP involved, really ;-)). This way, someone from inside the company could easily access all services of the outside world by opening a connection to his home PC which in turn dispatches the IP-packets to the Internet. What do you think? Such products already exist? On gnu.org? And still, a GNU evangelist complains about SOAP ... ;-)
"httptunnel creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired.
This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall. "
Hmmm ... now imagine putting an SSH tunnel on top of the httptunnel and running this beast from inside the firewall on a machine which has NAT/routing facilities. This way, one of your employees can open an IP-tunnel to the outside world and later access any internal network resource from his home PC. Via outgoing HTTP packages, sent from inside your network!
Sounds like it would 'go through the firewall like a knife through butter in a way that prevents the companies involved monitoring the activity.'. In fact, if I were the person responsible for a company's IT security, this would scare me a lot more than any SOAP or XML-RPC.
|