| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: blsonne at rogers.com (Byron L. Sonne) Subject: Possibly a stupid question RPC over HTTP The doc (http://support.microsoft.com/?id=833401) lists the salient points: 1. Verify that your server computer and your client computer meet the requirements to use RPC over HTTP. 2. Consider important items and recommendations that are described in this article. 3. Configure Exchange to use RPC over HTTP. 4. Configure the RPC virtual directory in Internet Information Services. 5. Configure the RPC proxy server to use specific ports. 6. Configure your client computers to use RPC over HTTP. And this glorious tidbit: "The RPC client establishes the Internet connection by tunneling the RPC traffic through the HTTP protocol. Typical RPC communication is not designed for use on the Internet. RPC communication does not work reliably through a firewall that is on the perimeter network. RPC over HTTP helps make it possible to use an RPC client with firewalls that are on the perimeter network. If the RPC client can make an HTTP connection to a remote computer that is running Microsoft Internet Information Services (IIS), that RPC client can connect to any server on the remote network." This doesn't sound like XML-RPC to me, it sounds like, too literally, someone figured that, in theory, encryption and entity/service identification of whatever sort can be performed reliably and quickly; perfectly so in fact! So, what you effectively have is a medium/technique/? of communication that is easy to deal with and known fairly well by a fair number of people (http), already cross platform and architecture independant (http and it's text basis, and heck that XDR layer that hangs out with RPC), seems to take hacks well (whatever session management and auth stuff you can cram on either), plays nice with most firewalling, and sheeeeeeit, golly gee lets try and do oldschool RPC, DCOM, DCE-RPC (or whatever it is, can't remember exactly at the moment) and see if it'll quack! It's easier than doing it the right way (notice that I have not suggested one, that's my right as a con-MS bigot ;) and it's here now! Not that I wouldn't giggle at MS binary protocols, encryption intrinsic, designed explicitly for peoples emails getting shuffled over the internet, and I think even they know how well that would go over. Problem is a medium like that doesn't exist, and the world doesn't correspond 1:1 with computer science theory. In any case, I gotta grab a cold Orangina and ponder whether I misappropriated copywritten content in this email. Feh.
Powered by blists - more mailing lists