Microsoft Web Services Security Recommendation: Disable HTTP-GET

[Jeff Bone]

So on rare occasion I now peruse the FoRK archive to remind
myself what I'm intentionally missing.  Today, I saw a thread on
the subject above.  Good call Mr. FoRK, I would've missed that
myself otherwise.  Wanted to drop in a few read-mostly
comments...

You've got to ask...  since *when* has Microsoft ever shown *any*
sign of being concerned over fundamentally architectural security
issues?  And should this be considered a problem with HTTP, or a
problem with SOAP-based "Web services?"

Answers:  never and SOAP-based Web services.

The HTTP abstraction / paradigm itself --- URI + HTTP + limiting
HTTP availability + reasonable service encapsulation --- should
and does provide sufficient security for any conceivable
service.  This isn't a weakness in HTTP, or a problem with hybrid
browser-based / code-based services, it's a problem of
authorization in general and an increased encapsulation liability
for SOAP-based Web services.  Which leads one to ask:  why would
Microsoft agitate against HTTP?

Answer:  to the extent that arbitrary code developed against
arbitrary APIs can interoperate in a loosely-coupled manner with
other similar arbitrary code...  Microsoft loses.  Microsoft has
a vested interest in seeing HTTP lose --- whether or not that's
possible, it's definitely a best-case scenario for them, cf. Don
Box.  And the current Web services strategy --- which they've bet
the farm on, so they can't admit to any even *existing*
fundamental flaws --- and fiats such as this --- these are the
vehicle for pursuing that goal.

Think about it.

Ciao,

jb