• To: xml-dev@l...
• Subject: Re: SOAP-RPC and REST and security
• From: Gavin Thomas Nicol <gtn@r...>
• Date: Wed, 20 Feb 2002 17:38:56 -0500
• In-reply-to: <D7155AD41ECFD511AF4A00B0D0202CB51DFE13@MAILHOST>
• Organization: Red Bridge Interactive, Inc.
• References: <D7155AD41ECFD511AF4A00B0D0202CB51DFE13@MAILHOST>

On Wednesday 20 February 2002 04:38 pm, Michael Brennan wrote:
> > Visibility/discovery. Knowing about something is a priviledge. Not
> > even providing a means for discovery is better protection
> > than fending off people trying to break down the door.
>
> Security through obscurity is the worst kind of security there is.

I'm not talking about security via obscurity.... but rather not having 
*any* path to a resource unless explictly granted it. One is roughly 
akin to ACL's, the other, capabilities.

> Given enough time, someone will always figure out what you are
> trying to hide. There are plenty of well-known case studies of
> security breaches proving that. Just look through the back issues of
> Bruce Schneier's newsletter [1] and you can find plenty of those;
> it's one of his favorite subjects.

Whatever. A resource that is hidden but accessible is different from 
one that is both invisibile (literally not visible) and not 
accessible... 

• Follow-Ups:
  • Re: SOAP-RPC and REST and security
    • From: John Cowan <cowan@m...>

• References:
  • RE: SOAP-RPC and REST and security
    • From: Michael Brennan <Michael_Brennan@A...>

• Prev by Date: Re: SOAP-RPC and REST and security
• Next by Date: RE: SOAP-RPC and REST and security
• Previous by thread: RE: SOAP-RPC and REST and security
• Next by thread: Re: SOAP-RPC and REST and security
• Index(es):
  • Date
  • Thread