News and views from a software developer's perspective
Wednesday, May 22, 2002Regarding REST, I'm not sure I understand how a REST web service can be as secure as a SOAP web service. My problem is with URLs, which are typically cached all over the place. You can infer a lot more information about a bunch of URLs that were invoked when interacting with a REST-based service. Consider accessing one's email. If you get your email via a REST service, then one can get a lot more information from URLs saved proxy logs. Presumably, there is a GET request to a different URL for each message that you read, and from a POST request, you may infer that a message was sent. If you get your messages via a SOAP service, the proxy logs will show only repeated requests to a single URL, so it's much harder to infer information. In another situation, a REST service would assign a URL to a receipt or other sensitive document, which would give crackers a good starting point for their attempt to get sensitive information (such as guessing a password).
In researching some HTTP caching issues, I came across this interesting paper[pdf] : Clarifying the Fundamentals of HTTP [Simon Fell]
This paper should be required reading for anyone who wants to really understand HTTP.
Why is HTTP so complex? Well, if you stick with serving simple web pages in a single language, and you don't require compression, partial transfer of content, and so on, then HTTP is quite simple. In perhaps 99% of current usage, it is this simple. But HTTP allows for some very complex situations, such as this: you request an "image" at a certain URL, you specify the formats you prefer -- say PNG, GIF, TIFF, in that order -- and the server chooses a format and sends it. In the real world, however, one would have a different URL for the PNG version, the GIF version, and the TIFF version of the image. It's the same with HTML pages. According to HTTP, you could have a single URL for a web page in multiple languages. In the real world, designers assign a different URL to the English version, to the Spanish Version, to the French version, and so on.
