“This XML over HTTP thing was supposed to be easy”, he says…

From the Java quarter, a suggestion that those who "are creating a publically available webservice", to "make sure it is available over HTTPS and encourage people to use the HTTPS version":

    There are way too many badly behaved firewalls and proxies (from companies that should know better) that munge things in ways that are very hard to debug. … For instance (just as a totally random example that I swear has caused me no pain what-so-ever over the last few weeks…), Checkpoint’s NG55 firewall has built in "Cross Site Scripting Protection". Unfortunately, it failes to check MIME types, SOAP actions or ever the user agent header – it just blindly drops any content that contains various defined keyword. It’s a stupid, stupid idea (especially since it doesn’t seem to check unicode versions on the same strings) that is best protected against by running over HTTPS.

Unfortunately HTTPS only protects during part of the story–and it only works with HTTP. Transport-level security only protects the data while it’s in transit, and with a growing adoption rate of Web services comes a growing movement to use other transports as well. (Question for those who think HTTPS is enough to secure your Web service: Where do most credit card numbers get stolen from? Answer: the database, where HTTPS/SSL has no effect whatsoever.) This is why WS-Security (and its related specifications) were created, and unfortunately is a sign that Web services are "growing up".

I’m sorry you got sold the bill of goods that said that "XML over HTTP" was supposed to be easy–it’s only easy so long as you did simple things with it. This is what REST is all about, for example. But as we start to use something good, we start asking more and more of it (like to be secure as the data travels in transit), and that’s when the harder stuff starts to creep in and everything gets complicated again.

After all, it wasn’t that long ago when we were happy just to have TCP/IP standardized across the network–after all, how hard can it be to open() a socket and read() and write() to it?