|
||
|
Source : http://www.cioupdate.com
Activity:
4 comments
520 views
last activity : 10 29 2010 09:42:49 +0000
|
||
|
|
ISecpartners researcher Brad Hill spent about an hour at the Black Hat show here making his case against the WS-Security stack and how it could be compromised by an attacker.
The solution to the problem identified by Hill may be in how WS-Security is configured. The solution could be to fall back on the established SSL mechanisms of ensuring secured transport.
"SSL is getting an anti-cult following, and some argue that it's not right for the Web Services world," Hill told the Black Hat audience. "I disagree. SSL does almost everything you need for real-world Web service deployment."
He added that there is a lot of complexity in dealing with what he thinks are immature WS-Security standards.
WS-Security stack as a target-rich environment that is open for attack. In contrast, SSL with client certificates keeps users out of the message stack unless authenticated. So it could be said, that, WS-Security is not ready to use out of the box like SSL is.
In gruesome detail, Hill discussed attack vectors for every step of the signing process, going line by line through a basic XML digital certificate that protected only a few words of text.
Among the issues he raised was the use of XSLT which is in WS-Security and used to transform XML documents into other XML documents. Hill noted that it would be very easy to create a loop with XSLT that could consume infinite resource with tiny messages.
The real killer for XSLT and Web Services security is that XSLT also supports extensions.
"An attacker could use it to do all kinds of malicious things with valid XML that could be shipped in a signature."
Though the solutions to all of the issues raised are not simple, but they are fixable. Updates to the WS-I basic security profile should be made to ensure better security with less operational complexity.
"Today there is no simple and secure profile, and this is a big problem. That is what I want to see come out of the W3C revisions."
Tell me more on this topic, I will be waiting for your replies.
- Create a confidential Career Profile and Resume/C.V. online
- Get advice for planning their career and for marketing of experience and skills
- Maximize awareness of and access to the best career opportunities
|
|
Avighna SEO solutions Hyderabad, is an SEO Company that offers Quality Search Engine... |
|
|
0 referals
3 arguments,
403 views
|
|
|
LIC as a Banking Services |
|
|
0 referals
6 arguments,
373 views
|
|
|
Customer service is an integral part of our job and should not be seen as an extension of it. A... |
|
|
713 referals
14 votes,
510 views
|
|
|
|
|
|
|
|
|
India is a free nation. People have rights but still women are struggling to come up. There is a... |
|
|
0 referals
6 comments,
73 views
|
|
|
Recovery of its due has been a hectic exercise for the Banks in the absence of a special... |
|
|
1 referals
1 comments,
11 views
|
|
|
Yes they are going to be here.. and the first destination is Bangalore... Google cars and trikes... |
|
|
1339 referals
12 comments,
443 views
|
|
|
|
|
|
|
We have learnt a lot of things till now and will continue to learn until dead. There is always something to improve upon, knowledge to accumulate and so on. For an entrepreneur to succeed he need to have more base, more knowledge, more tools to define... |
Yes i agree with shankar here, its just that people always want which is new, its like mystery for them which they want to unveil and lay hands on and check out what it is, its just temporary but then most of people buy new products for this reason... |
New Solar-Powered Airport Hangar Opens In California It’s not surprising these days to hear of buildings drawing their power from photovoltaics, but for some reason I still get a kick (or perhaps some hope) everytime something new embraces renewable... |