[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
- From: "Byron L. Sonne" <blsonne@xxxxxxxxxx>
- Date: Wed, 13 Oct 2004 19:45:43 -0400
The doc (http://support.microsoft.com/?id=833401) lists the salient points:
1. Verify that your server computer and your client computer meet the
requirements to use RPC over HTTP.
2. Consider important items and recommendations that are described in
this article.
3. Configure Exchange to use RPC over HTTP.
4. Configure the RPC virtual directory in Internet Information Services.
5. Configure the RPC proxy server to use specific ports.
6. Configure your client computers to use RPC over HTTP.
And this glorious tidbit:
"The RPC client establishes the Internet connection by tunneling the RPC
traffic through the HTTP protocol. Typical RPC communication is not
designed for use on the Internet. RPC communication does not work
reliably through a firewall that is on the perimeter network. RPC over
HTTP helps make it possible to use an RPC client with firewalls that are
on the perimeter network. If the RPC client can make an HTTP connection
to a remote computer that is running Microsoft Internet Information
Services (IIS), that RPC client can connect to any server on the remote
network."
This doesn't sound like XML-RPC to me, it sounds like, too literally,
someone figured that, in theory, encryption and entity/service
identification of whatever sort can be performed reliably and quickly;
perfectly so in fact!
So, what you effectively have is a medium/technique/? of communication
that is easy to deal with and known fairly well by a fair number of
people (http), already cross platform and architecture independant (http
and it's text basis, and heck that XDR layer that hangs out with RPC),
seems to take hacks well (whatever session management and auth stuff you
can cram on either), plays nice with most firewalling, and sheeeeeeit,
golly gee lets try and do oldschool RPC, DCOM, DCE-RPC (or whatever it
is, can't remember exactly at the moment) and see if it'll quack! It's
easier than doing it the right way (notice that I have not suggested
one, that's my right as a con-MS bigot ;) and it's here now! Not that I
wouldn't giggle at MS binary protocols, encryption intrinsic, designed
explicitly for peoples emails getting shuffled over the internet, and I
think even they know how well that would go over.
Problem is a medium like that doesn't exist, and the world doesn't
correspond 1:1 with computer science theory.
In any case, I gotta grab a cold Orangina and ponder whether I
misappropriated copywritten content in this email. Feh.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html