[mplspm]: M$oft wants HTTP get & post disabled
Troy Johnson
troy.johnson at myrealbox.com
Wed Mar 20 11:23:41 CST 2002
Hi!
Chris Josephes wrote:
> On Tue, 19 Mar 2002, Rob Wentworth wrote:
> > It would seem that Micro$oft has security issues with their ASP.NET stuff,
> > when running on web servers that support HTTP-GET and HTTP-POST protocols,
> > Is their solution to fix .NET? Now way! Just disable HTTP GET and POST
> > protocols!
> > Who needs those pesky CGI scripts anyway, when you have Micro$oft
> > alternatives?
> > Read all about it here:
> > http://msdn.microsoft.com/library/en-us/dnnetsec/html/disHTT.asp
> Didn't the Slashdot geeks bring this up awhile back?
> To be fair, the article does have a valid point. HTTP as a protocol is
> being way over-extended in some areas, to the point where new protocols
> aren't being designed, they're just bastardising HTTP to suit their needs.
> This greatly increases the amount of traffic going to port 80, and makes
> it a lot harder for security administrators to protect their networks.
I don't think that was the point of the article. It may be something
that could be distilled from it, but I think the point was "USE
MICROSOFT SERVICES, ALTERNATIVES ARE LAME". They are trying to get
people to turn off this one competing technology, if they don't use it,
when they should be saying "RULE 1: IF YOU ARE NOT USING SOMETHING, TURN
IT OFF. Rule one applies here". Why don't they want to dispense this
sage wisdom? My guess is they fear most of their stuff would be turned
off as a matter of course (as it should be) on production web servers,
giving web developers less of an opportunity to tinker with it (and get
hooked).
I think that point out things like this "boogie man" (i.e.: "The
external developer of the malicious Web page has internal knowledge of
the XML Web service's existence and invocation details.") make things
worse. There's real information out there and this is mostly noise. The
scenario is not impossible, but if your app needs tighter security, you
plan for it. Maybe MS's "ASP.NET XML Web services" isn't the right tool
for the job.
It would be comforting if their newfound "security" focus seemed more
serious and less a ridiculous PR ploy.
My 2 cents, have a great day.
Troy
--------------------------------------------------
Minneapolis Perl Mongers mailing list
To unsubscribe, send mail to majordomo at pm.org
with "unsubscribe mpls" in the body of the message.
More information about the Mpls-pm
mailing list