Moving sideward from the specific case of Microsoft's RPC-over-HTTPS to the
case of XML-over-HTTPS used for Web Services, here are some thoughts from
the Web Services Security world:
I find that people start from a standpoint of thinking firewalls are
oblivious to XML but then realize that a far
-Original Message-
From: Kyle Maxwell [mailto:[EMAIL PROTECTED]
Sent: 25 October 2004 04:30
To: Airey, John
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possibly a stupid question RPC
over HTTP
[snip]
You're talking about solving a problem that DOESN'T EXIST
On Tue, 26 Oct 2004 16:47:21 +0100, Airey, John [EMAIL PROTECTED] wrote:
Therefore my point still stands that if someone does possess a mathematical solution
to the above, then all bets are off.
(Whoever it was who disagreed about my statements on encryption, please remember the
context of
On Fri, 22 Oct 2004 14:50:23 +0100, Airey, John [EMAIL PROTECTED] wrote:
-Original Message-
From: Kyle Maxwell [mailto:[EMAIL PROTECTED] ]
I think you may mean something slightly differently; given any large
prime p, I can factor it completely extremely quickly:
p = 1 * p
-Original Message-
From: Kyle Maxwell [mailto:[EMAIL PROTECTED]
Sent: 21 October 2004 17:57
To: Airey, John
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possibly a stupid question RPC
over HTTP
On Thu, 21 Oct 2004 13:21:10 +0100, Airey, John
[EMAIL PROTECTED] wrote
On 22 Oct 2004, at 06:50, Airey, John wrote:
On Thu, 21 Oct 2004 13:21:10 +0100, Airey, John
[EMAIL PROTECTED] wrote:
This gives you two options. One, use brute force to break
the SSL encryption. Two (and it's entirely possible that the
security services have this already) come up with a
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Burnes,
James
Sent: 14 October 2004 17:42
To: ASB; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Possibly a stupid question RPC
over HTTP
Welcome the wonderful wide world of web services
On Thu, 21 Oct 2004 13:21:10 +0100, Airey, John [EMAIL PROTECTED] wrote:
This gives you two options. One, use brute force to break the SSL encryption. Two
(and it's entirely possible that the security services have this already) come up
with a mathematical way to factor large primes rapidly.
Yeah, it certainly is a security risk in several ways.
Decoding and inspecting HTTPS traffic at the perimeter
before it reaches the server becomes an absolute
necessity if RPC over HTTPS is implemented. Same with
RPC over HTTP.
--
S.G.Masood
--- ASB [EMAIL PROTECTED] wrote:
You need
Yeah, it certainly is a security risk in several ways.
Decoding and inspecting HTTPS traffic at the perimeter
before it reaches the server becomes an absolute
necessity if RPC over HTTPS is implemented. Same with
RPC over HTTP.
--
S.G.Masood
--- ASB [EMAIL PROTECTED] wrote:
You need
On Wed, 13 Oct 2004 15:33:13 -0700 (PDT), S G Masood [EMAIL PROTECTED] wrote:
Yeah, it certainly is a security risk in several ways.
Decoding and inspecting HTTPS traffic at the perimeter
before it reaches the server becomes an absolute
necessity if RPC over HTTPS is implemented. Same with
The doc (http://support.microsoft.com/?id=833401) lists the salient points:
1. Verify that your server computer and your client computer meet the
requirements to use RPC over HTTP.
2. Consider important items and recommendations that are described in
this article.
3. Configure Exchange to use
]
[mailto:[EMAIL PROTECTED] On Behalf Of
Rodrigo Barbosa
Sent: Thursday, 14 October 2004 6:05 AM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possibly a stupid question RPC
over HTTP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is called, in my experience, XML-RPC
Barry Fitzgerald wrote:
Daniel H. Renner wrote:
Daniel,
Could you please point out where you read this data? I would like to
see this one...
I seem to remember that this was one of the caveats with regard to
MSBlast and RPC/DCOM vulnerabilities last year.
In certain
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Wednesday, October 13, 2004 2:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
You need protocol level inspection (i.e. beyond SPI) if you're going
to monitor
PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP
This may just reflect my ignorance, but I read (and found hard to
believe) that Microsoft has implemented RPC over HTTP. Is this not a
HUGE security hole? If I understand it correctly it means
I have heard the same thing and I have the same concern. The latest and
greatest (?) MS Exchange 2003 uses it for Outlook Web Access and Outlook
2003 may connect to Exchange through it also without needing a VPN.
http://support.microsoft.com/?id=833401
Daniel H. Renner wrote:
Daniel,
Could you
Daniel H. Renner [EMAIL PROTECTED] 10/13/2004 8:37:12
AM:
Daniel,
Could you please point out where you read this data? I would like
to
see this one...
Ye god, it's true. And it's recommended by Microsoft as well. One
example:
I remember reading this too. So after a little investigation I've found
the following resources:
http://www.msexchange.org/tutorials/outlookrpchttp.html
http://www.microsoft.com/office/ork/2003/three/ch8/OutC07.htm
Daniel H. Renner wrote:
Daniel,
Could you please point out where you read this data? I would like to
see this one...
I seem to remember that this was one of the caveats with regard to
MSBlast and RPC/DCOM vulnerabilities last year.
In certain configurations, it was theoretically possible
:41:56 -0700
From: Daniel Sichel [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP
This may just reflect my ignorance, but I read (and found hard to
believe) that Microsoft has implemented RPC over HTTP. Is this not a
HUGE
Look for documentation on SOAP.
Thanks,
Ron DuFresne
On Wed, 13 Oct 2004, Daniel H. Renner wrote:
Daniel,
Could you please point out where you read this data? I would like to
see this one...
--
~~
Cutting the space budget really restores my faith in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is called, in my experience, XML-RPC (google search with lots
of results). Reference: http://www.xmlrpc.com/spec
Yes, it is a Remote Procedure Calling implementation. No, it is not
the same things that the good old udp based RPC used for things
It looks like they have.. (url may wrap)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp
--
Regards,
Sean Milheim
iDREUS Corporation
---BeginMessage---
I have heard the same thing and I have the same concern. The latest
Have a nice day
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
- Original Message -
From: Daniel H. Renner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 13, 2004 11:37 AM
Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
Daniel
You need protocol level inspection (i.e. beyond SPI) if you're going
to monitor that kind of traffic.
Also, the support for RPC over HTTP (should really be HTTPS) is not as
open ended as you might fear.
Look at the following:
http://www.google.com/search?q=RPC%20over%20HTTPS%20implement
- ASB
Yeah, it certainly is a security risk in several ways.
Decoding and inspecting HTTPS traffic at the perimeter
before it reaches the server becomes an absolute
necessity if RPC over HTTPS is implemented. Same with
RPC over HTTP.
--
S.G.Masood
--- ASB [EMAIL PROTECTED] wrote:
You need
This may just reflect my ignorance, but I read (and found hard to
believe) that Microsoft has implemented RPC over HTTP. Is this not a
HUGE security hole? If I understand it correctly it means that good old
HTML or XML can invoke a process using standard web traffic (port 80)?
Is there any
28 matches
Mail list logo