lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <416DBE27.7050406@rogers.com>
From: blsonne at rogers.com (Byron L. Sonne)
Subject: Possibly a stupid question RPC over HTTP

The doc (http://support.microsoft.com/?id=833401) lists the salient points:

1. Verify that your server computer and your client computer meet the 
requirements to use RPC over HTTP.
2. Consider important items and recommendations that are described in 
this article.
3. Configure Exchange to use RPC over HTTP.
4. Configure the RPC virtual directory in Internet Information Services.
5. Configure the RPC proxy server to use specific ports.
6. Configure your client computers to use RPC over HTTP.

And this glorious tidbit:

"The RPC client establishes the Internet connection by tunneling the RPC 
traffic through the HTTP protocol. Typical RPC communication is not 
designed for use on the Internet. RPC communication does not work 
reliably through a firewall that is on the perimeter network. RPC over 
HTTP helps make it possible to use an RPC client with firewalls that are 
on the perimeter network. If the RPC client can make an HTTP connection 
to a remote computer that is running Microsoft Internet Information 
Services (IIS), that RPC client can connect to any server on the remote 
network."

This doesn't sound like XML-RPC to me, it sounds like, too literally, 
someone figured that, in theory, encryption and entity/service 
identification of whatever sort can be performed reliably and quickly; 
perfectly so in fact!

So, what you effectively have is a medium/technique/? of communication 
that is easy to deal with and known fairly well by a fair number of 
people (http), already cross platform and architecture independant (http 
and it's text basis, and heck that XDR layer that hangs out with RPC), 
seems to take hacks well (whatever session management and auth stuff you 
can cram on either), plays nice with most firewalling, and sheeeeeeit, 
golly gee lets try and do oldschool RPC, DCOM, DCE-RPC (or whatever it 
is, can't remember exactly at the moment) and see if it'll quack! It's 
easier than doing it the right way (notice that I have not suggested 
one, that's my right as a con-MS bigot ;) and it's here now! Not that I 
wouldn't giggle at MS binary protocols, encryption intrinsic, designed 
explicitly for peoples emails getting shuffled over the internet, and I 
think even they know how well that would go over.

Problem is a medium like that doesn't exist, and the world doesn't 
correspond 1:1 with computer science theory.

In any case, I gotta grab a cold Orangina and ponder whether I 
misappropriated copywritten content in this email. Feh.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ