“RE: Simple Cross-Network Scripting”

On 2/8/02, Brian Andresen said:

>Ah, it's clear that you haven't spent much time using a packet
>sniffer. :-)  

True. Like, none.

I didn't realize he was talking about end-to-end password security until his second message.

>Now that you've got yourself a Unix-based OS, go get ethereal and look
>at what's traveling on your network. And on every network connecting
>you to the server on the other end.

Get the behind me, Brian. I don't have time for any more cool toys right now.

Oh, man, too late... the tempter wins again.

>Obviously this isn't as much of an issue if you're doing local RPC,
>between machines on your own LAN.  But in the general case, you'll
>have cleartext passwords heading out through the net.

I knew that, of course, but I thought he was talking about people seeing the password in his source. He asked about keeping the xmlrpc call from prying eyes... that could refer to the call as it's written in the source, or it could refer to the call over the network.

>It's not XML-RPC's job -- at least not the way Dave has cast it so far
>-- to handle this aspect of authentication and security.  I think that
>could be a good thing, because it leaves room for standards like TLS
>(Transport Layer Security, formerly known as SSL -- see
>http://www.ietf.org/html.charters/tls-charter.html).  If only Frontier
>supported it...

XML-RPC itself can be used in any number of transport protocols. I know it's been run over SMTP.

You can run it over https (TLS, or SSL, whatever) now, if you shut off Frontier's server and put it behind IIS or SSL. Then you'd just need that DLL in your client copy of Frontier to have end-to-end encryption.

Seth