Home > Privacy, Security > Extra Headaches of Securing XML Extra Headaches of Securing XML Eugenia Loli 2004-03-29 Privacy, Security 3 Comments Creating a popular new computing approach always seems to bring with it a familiar catch-22: security issues. And Web services is no exception. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 3 Comments 2004-03-29 9:15 pm “Your average script kiddie in a black T-shirt in his basement is probably not hacking XML yet. You need to get a computer science degree to do that,” said Chris Darby, chief executive of XML network company Sarvega and former CEO of security company @stake. “So, if there are attacks, they aren’t very sophisticated.” Perhaps he’s the former CEO of @stake because he’s clueless… as were most of the people interviewed for this article. The most intelligent comment I saw in the whole article was ultimately stating the obvious, albeit in a somewhat intelligent manner: “Complexity in and of itself is generally prejudicial to security,” said Tim Bray, one of the co-inventors of XML and now a technical director at Sun Microsystems’ software group. I think what the article was attempting to describe are two key problems with XML: 1. The resource usage associated with processing and generating XML documents is much higher than the types of queries typically employed by non-XML services. Consequently, a Denial of Service attack carried out by flooding an XML service is easier from the attacker’s perspective than flooding other types of services because the resources consumed by an XML-based service are higher. 2. Input validation of XML is more difficult than other types of services because of the added complexities of XML versus other transaction formats. Unfortunately, the article merely hints at these conclusions, rather than drawing them itself. 2004-03-29 11:01 pm how many articles are written for CTOs and managers.. devoid of content and brim full of XML-enabled buzzords. the point of such artciles is of course to first entice and then congratulate those who take up these XML-enabled technologies. my word, i think they created an XML-specific denial of service attack just to make these people important (if someone wants to attack it, or if specific attacks exist then t must be of some value, no?). seriously: XML is very over hyped. there are more cases than not where XML is not a good solution. and quite often it covers the fact that two organisations are not talking as much as they should be. sigh. if its not xml, it’ll be .net or whatever is next for these people to jstify their salaries. 2004-03-30 7:46 am The most stupid and irrational argument I have heard about the adoption of XML Web Services (and the retirement of CORBA) is that they are “good” because you can tunnel the data through HTTP (port 80) and thus bypass firewalls (!!) So I am not surprised that the security aspects of such technologies are not considered so much in the present. In the future though things will probably change.