[mplspm]: M$oft wants HTTP get & post disabled
Chris Josephes
cpj1 at isis.visi.com
Wed Mar 20 06:58:40 CST 2002
On Tue, 19 Mar 2002, Rob Wentworth wrote:
> It would seem that Micro$oft has security issues with their ASP.NET stuff,
> when running on web servers that support HTTP-GET and HTTP-POST protocols,
>
> Is their solution to fix .NET? Now way! Just disable HTTP GET and POST
> protocols!
>
> Who needs those pesky CGI scripts anyway, when you have Micro$oft
> alternatives?
>
> Read all about it here:
> http://msdn.microsoft.com/library/en-us/dnnetsec/html/disHTT.asp
Didn't the Slashdot geeks bring this up awhile back?
To be fair, the article does have a valid point. HTTP as a protocol is
being way over-extended in some areas, to the point where new protocols
aren't being designed, they're just bastardising HTTP to suit their needs.
This greatly increases the amount of traffic going to port 80, and makes
it a lot harder for security administrators to protect their networks.
If you don't want to risk outside hosts from hitting your XML Services
hosts, either block incoming port 80 from your firewall, or simply disable
the services on the host itself.
Sooner or later a stateful, connection oriented protocol suitable for XML
transfer will come around and will be adopted by many people. To a degree
it's already happened with Jabber.
-----------------------------------------------------------------------
Christopher Josephes | http://www.visi.com/~cpj1
cpj1 at visi.com |
--------------------------------------------------
Minneapolis Perl Mongers mailing list
To unsubscribe, send mail to majordomo at pm.org
with "unsubscribe mpls" in the body of the message.
More information about the Mpls-pm
mailing list