More on Fallacy #4

Steve Jones on Rest and Distributed Computing Fallacies

One of the objections I've had about REST for a while is that it appears to ignore Deutsch's fallacies of network computing

1. The network is reliable.

2. Latency is zero.

3. Bandwidth is infinite.

4. The network is secure.

5. Topology doesn't change.

6. There is one administrator.

7. Transport cost is zero.

8. The network is homogeneous.

Now REST specifies 8, assumes 1, 2 and 3 and takes 4 to mean HTTP/S with Basic Authentication. Now to be clear I've seen people doing Web Services who believe in pretty much all 8 of these fallacies and they create crap systems. But with things like WS-RM and WS-Security at least there are answers to a few elements.

That basic auth is bypassable has been known for some time, thanks to Amit Klein. It would be nice to Restafarians move the conversation towards better security models like SAML and WS-Security. The current state for Rest is both disappointing and weak. The response side is pretty solveable using XML Signature and XML Encryption to sign and encrypt the responses (of course someone will need to tell the "you just leverage the existing infrastructure types" that we'll need to be deploying keys and certs to all the endpoints but at least the primitives are there on the response side), the request side remains problematic.

More on the Fallacies by Arnon Rotem-Gal-Oz, who incidentally if you are interested in building a secure service has an interesting Service Firewall pattern, which I refer to as a TIDE firewall - dealing with Tampering, Information Disclosure, Denial of Service, and Elevation of Privilege threats at the edge. I understand why Arnon left Spoofing off his list, but would like to see him add audit logging to deal with Dispute.

A claim by any other name is still a claim even if its Restful

I am really enjoying this wonderful new world of Claims-based access control (CBAC), and I think the way that the encryption and signatures have been packaged up into claims (if you like your coffee with WS-*) or assertions (if you like a dab of SAML) is allowing us to deploy security architectures that solve a lot of age old problems. I call 'em claims even though MS/IBM hijacked the term from the SAML people it is shorter.

Rest application need claims too. As Don Box says the rest authentication story blows chunks. Now, you see people reinventing WS-Security in Rest (because they realize they need stronger claims) and unfortunately choosing the weakest token the Username token, which in turn encourages bad programming practice. Piers Cawley on the Rest authentication tarpit:

The problem with implementing the Atom Publishing Protocol is that one of the client apps that we want to support, Nokia’s LifeBlog mobile app, only supports the adaptation of the WSSE UserToken authentication protocol recommended by Marc Pilgrim. There’s lots to like about this protocol, especially the way it allows CGI based servers to take control of authentication without needing access to Apache’s .htaccess or requiring mod_digest to be installed. However, the design of the protocol is such that there’s no way to avoid storing the user’s password in plain text on the server. Which we really, really, really don’t want to have to do.

This would not be a big deal if it was just a one off, but your authentication story is the key to your access control and while authentication can never be perfect, there is a lot of evidence that good ol' username and password isn't that good any more. The problem is not with WS-Security, the problem is the token. While Rest people are reinventing WS-Security they should feel free to not use the username token and instead graduate to Kerberos, X.509, and SAML tokens.

A claim by any other name is still a claim, but some claims are stronger than others.

My larger problem with how I see Rest applications doing authentication is that they still after all these years rely on the old school approach where the server authenticates everything. Umm...are we on a mainframe or something? Why not separate the identity provider from the service provider like the rest of the world? Why send your authN creds across the wire every time? I have not tried but I assume an adapter to some of the SAML profiles would yield this separation quite nicely and give back an address to talk to, and the authN/authZ negotiation could be handled by the IdP and SP allowing the Rest client to talk directly to HTTP verbs served by the server...

You Got Chocolate in My Peanut Butter! Rilke weighs in on Rest and SOAP

Rest and SOAP are supposed to be about interoperability, it is fascinating that they are at each other's throats. I don't see the same level of malice from Rest or SOAP towards say J2EE or Corba. Wonder why this is? Either way it is ironic that proponents of interoperability technologies would want to vanquish each other. Rilke [1] says we need to let go of irony, and not be governed by it. So too must we let go of SOAP v REST. They actually can play nicely *together*, Mark O’Neill gave a good “real world” Web services security talk last week at OWASP (at eBay where I believe these two *do* play nicely together in actual fact), in the case studies section he describes some security considerations for SOAP-Rest integration

The simple fact is that you may need/want to rely on Rest on the edge, but you may also want to leverage SOAP's security mechanisms as you get closer to your enterprise foo (ERP, CRM, etc.). From a security perspective it is hard to do much useful without authentication and integrity, so an STS plays an important role. The example below shows one way, this is similar to the approach that Ping Identity uses in their Ping Federate Web Services.

You got Rest in my SOAP, oh wait, it can work together...and thither irony never descends.

[1] Rainer Maria Rilke:
Irony: Do not let yourself be governed by it, especially not in uncreative moments. In creative moments try to make use of it as one more means of grasping life. Cleanly used, it too is clean, and one need not be ashamed of it; and if you feel you are getting too familiar with it, if you fear this growing intimacy with it, then turn to great and serious objects, before which it becomes small and helpless. Seek the depth of things: thither irony never descends—and when you come thus close to the edge of greatness, test out at the same time whether this ironic attitude springs from a necessity of your nature. For under the influence of serious things either it will fall from you (if it is something fortuitous), or else it will (if it really innately belongs to you) strengthen into a stern instrument and take its place in the series of tools with which you will have to shape your art.

Letters to a Young Poet
(translated by M. D. Herter)

Message is the center

Tim Bray on REST:

Messages All The Way Down · HTTP is a decent and under-appreciated protocol, but in the end maybe the most important thing is that it forces you to think about the messages and how you exchange them. There’s no pretense that Remote Procedures are being called, or Object Models are being shared; I send you some bits and some metadata about them, and you respond with the same. It turns out that in the HTTP universe, at that point our conversation is over, and that turns out to be a good basis for building applications, but the key thing is putting the messages, rather than what they allegedly stand for, at the center

That's great - the message is the center - now REST just needs message level security model and mechanisms like WS-Security. SSL is what is usually bandied about as a security model by Restafarians, but we know from Deutsch, Gosling, and Joy that "the network is secure" is the fourth fallacy of distributed computing.

Two States

James Clark, Technical Lead of the original XML Working Group, neatly summarizes why defense in depth is mandatory not optional in Web services, be they Rest, SOAP, whatever:

XML is fundamentally not OO: XML is all about separating data from processing, whereas OO is all about combining data and processing. Functional programming is a much better fit for XML: the problem is making it usable by the average programmer, for whom the functional programming mindset is very foreign.

The lack of tooling for secure coding is a real problem, the WS-Security people are ahead here for sure, but there is a lot that needs to be done in all camps. Bottom line: We need a defense in depth security model that composes elements of both the security of the processing state (service security if you will) and the data itself (for example message level security), or as some great American Poets called Pavement put it:

two states
we want two states
north and south
two, two states
forty million daggers ...
two states
we want two states
there's no culture
there's no spies
forty million daggers ...

**************************************************

Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
--- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).

Question of Risk

Eric Newcomer, as is his wont, gets right to the heart of the issue in WS-* vs. REST is not the question.

The big question isn't whether WS-* is too complex, or REST is better. The question is "for what?" In the context of this workshop, the "what" is enterprise software standardization.

My context in looking at these technologies is security. Security is generally practiced as a subset of overall risk management. The risks are comprised of threats and vulnerabilities against some set of assets. In security architecture, countermeasures are selectively deployed to deal with the threats and vulnerabilites. This is very subjective terrain. The problem I have with the way REST security is generally described is that SSL and firewalls were good enough in 1995 so they are good enough now (certainly not all RESTians say this, but a very high percentage do), and the problem I have is when a REST programmer makes these tradeoffs and decides "heck, I don't need message level security", they are making that tradeoff on someone else's behalf, specifically their identity credentials. At what point does developer productivity intersect with responsibility and due care of users identity credentials?

Here is an example of Tim Bray comparing PHP, Rails, and Java frameworks for web application building. The comparison criteria are Scaling, Dev Speed, Dev Tools, and Maintainability. We are talking web apps and security is not even a first class member yet two classes of developers' concerns are. I am not picking on Tim Bray, this is just a good example of how many development organizations prioritize - what is easiest/best for me, not what is protects my user's assets/identity/data the best. I absolutely think dev tools and speed are important and should be first class members in an evaluation, I am just arguing for security to be there too especially for web apps.And there are real differentiators in security between these two. But it all starts with developers looking not just inward but also outward and protecting their users. The young identity himself, Andre Durand, noted:

• When GM was recently asked, "...are you worried about losing the #1 spot as the worlds largest car manufacturer?" the answer was, "...we're very concerned about maintaining our #1 position as the largest manufacturer of cars."
• When the same question was asked of Toyota, "...are you focused on becoming the #1 car manufacturer in the world," the response was, "we're concerned quality is slipping."

Part of the quality that developers need to consider is not whether or not cars are easier or harder to build if they do or don't have airbags; but rather under what conditions do you want your car to have air bags, ABS, and so on, and then what frameworks has the best airbags and ABS support.

The Impossible Becomes Real: REST "security" understanding reaches new lows

This is genuinely amusing, Pete Lacey tells us that we have all been missing the boat on message level security, it turns out that we security people were just whiners, we already had what we needed with SSL and Kerberos!

To try and put a positive spin on the WSF, one can look on it as the XML-ification of a number of existing technologies. For instance:

Standard/Spec	maps to
WS-Security	SSL (partly)
WS-SecureConversation	SSL (the rest)
WS-Trust	Kerberos

I have to admit I had a brief flicker of hope when I saw Pete's "partly" after SSL, but that hope was shattered when I saw that "the rest" is covered by SSL's ample "ability" to manage the same use cases as WS-SecureConversation!

One last time: WS-Security is message level security, SSL is transport level. There is a vast ocean of space between where enterprises terminate SSL and where your app is. Go ahead and ask your infrastructure team where SSL is terminated.

Dan Pritchett commented on a previous post on REST's lack of message level security:

Great post. The separation of SSL from security of the message is a concept that is often lost on SOAP developers as well. The need to move to more intelligent routers to handle a variety of QoS tasks is pushing SSL termination further from the application server. Assuming that your SSL connection is getting anywhere near your application is a fallacy.

No question that many (approx. 72%) SOAP developers miss this distinction as well. But the point is that SSL in no way provides what WS-Security does, which is end to end not point to point security, or more specificallly end to end message level confidentiality and integrity. "Hey did my "SSL-protected" message get altered after SSL was terminated?" Good question, boss, I have no idea.

Now there are actually some analogs to how SSL and WS-SecureConversation behave, but again one works at the message level and one doesn't. Oh, and WS-SecureConversation supports a wide variety of token types like SAML, X.509, and Kerberos.

Which brings us to WS-Trust and Kerberos. Sorry but this is just laughable. WS-Trust lets you deal with multiple token types one of which is Kerberos, and Kerberos is fine and all (and yes there are analogs to the WS-Trust behaviors and Kerberos TGTs), but what about domains whose access control depends on X.509, legacy username/passwords (cough, cough mainframe), or SAML? The whole purpose of WS-Trust is that we live in an heterogeneous world, and need to mesh together multiple token types for a given transaction -- in an integrated enterprise any one single token type is not going to be sufficient to traverse all the domains.

There are a lot of really smart people in the REST camp, and a lot of good ideas, but 1995 security models aren't good enough any more than muskets are sufficient for the USMC. The big ask on the REST side is for simplicity. Fine. But let's find simple ways to do message level security in REST not SSL and a prayer.

According to the Viridian Principles 1.0

"Eat What You Kill"

It's perfectly acceptable to supersede some time-honored tool or practice. However, you should take pains to fully comprehend the thing you have rendered obsolescent. You are removing some part, however modest, of the infrastructure of civilization. You are destroying the work of previous designers; you should offer them the respect you yourself would hope for, under similar circumstances. This is for your own good. You can't comprehend your own accomplishment until you have fully internalized and understood the accomplishment that you are undoing.

Of all the Web 1.0 technologies, Web 1.0 security (aka firewalls and SSL) is the least suited to a Web 2.0 world.

Neal Stephenson on Transport Level Security Versus Message Level Security

As a security architect, do not assume that you know all the intermediaries and endpoints your message will traverse. Let's go back to 1670 -- from Quicksilver:

The heat was too much. He was out in the street with Uncle Thomas, bathing in cool air.

"They are still warm!" he exclaimed.

Uncle Thomas nodded.

"From the Mint?"

"Yes."

"You mean to tell me that the coins being stamped out at the Mint are, the very same night, melted down into bullion on Threadneedle Street?"

Daniel was noticing, now, that the chimney of Apthorp's shop, two doors up the street, was also smoking, and the same was true of diverse other goldsmiths up and down the length of Threadneedle.

Uncle Thomas raised his eyebrows piously.

"Where does it go then?" Daniel demanded.

"Only a Royal Society man would ask," said Sterling Waterhouse, who had slipped out to join them.

"What do you mean by that, brother?" Daniel asked.

Sterling was walking slowly towards him. Instead of stopping, he flung his arms out wide and collided with Daniel, embraced him and kissed him on the cheek. Not a trace of liquor on his breath. "No one knows where it goes--that is not the point. The point is that it goes--it moves--the movement ne'er stops--it is the blood in the veins of Commerce."

"But you must do something with the bullion--"

"We tender it to gentlemen who give us something in return" said Uncle Thomas. "It's like selling fish at Billingsgate--do the fish wives ask where the fish go?"

"It's generally known that silver percolates slowly eastwards, and stops in the Orient, in the vaults of the Great Mogul and the Emperor of China," Sterling said. "Along the way it might change hands hundreds of times. Does that answer your question?"

Transport level security assumes good security on both endpoints in a point to point scenario and everything beyond those endpoints within the transaction span. Message level security lets the message traverse numerous business, organizational, and technical boundaries, with a modicum of security intact.

REST Security (or lack thereof) part deux

Some people in the REST community are able to see the need for message level security so this is heartening somewhat. If the data is distributed and the security model is point to point (at best), we have a problem. It is a gap in REST today that due to REST's reliance on HTTP, that message level security is an exercise left to the implementer with no open, proven standards to back them up. It doesn't always have to be this way. Maybe some smart software organization can build something that provides these properties for the REST crowd, and get them reviewed. For the time being it is still a gap for REST, which Don Park knew back in 2002:

It is not a key exchange issue. With SOAP, you can easily separate routing information and data so that you can encrypt head and body elements independently, REST does not. Cool thing about SOAP approach is that you can sign with multiple keys so that no only routers don't know about the content, routers themselves don't know where it will eventually end up.

If you do come up with some standard structure to do the same in REST,
you are basically reinventing SOAP.

Right. we don't want the postal worker reading the contents of the envelope, just the addressing header to name on example. I don't have a dog in the REST vs. WS-* hunt, my main concern is the security issues. As Don Smith says - "The message is the king and the contract is the queen." If you want to shrink your perimeter to the message level you can use WS-Security or attempt to roll your own with REST.

Pete Lacey's post restates a bunch transport level security mechansism which offer no message level security:

The standard RESTful security approach is, of course, HTTP Basic or HTTP Digest or SSL certificate-based mutual authentication for propagating identity credentials (the actual act of authentication and authorization being the purview of the server) and SSL for data integrity (digital signatures) and data protection (encryption)

SSL helps with channel security (while rendering the IDS and NSM people blind I might add). He goes on to say

Gunnar notes that these technologies were state of the art in 1995, with the implication they are no longer sufficient for meeting the security needs of the 21st century. This is an example of what I call the “Gilligan, you can’t fly” argument; that is stating that something can’t be done even as somebody else is doing it. The fact is that billions of dollars of worth of business is conducted every year over because of SSL.

Yes, Pete, I honestly do believe that attacker have evolved since 1995. The above statement (and I have heard it many times so he is not alone) tells you what we are up against from a software security standpoint.

Luckily, Robert Sayre agrees that RESTians can learn from the AWS developer token example with regard to dealing with spoofing:

"Sending reusable credentials and messages over HTTP+TLS is extremely common, so the goal of the discussion should focus on preventing the endpoint from impersonating the sender. That’s why I agree with you that AWS is a good example we should build on."

AWS is the best publicly used example I have seen so far. He also has a good post here that gets to one of the main issues:

When I read posts like that, I often wonder how the following sentence from the REST thesis fits in.

"REST component interactions are structured in a layered client-server style, but the added constraints of the generic resource interface create the opportunity for substitutability and inspection by intermediaries."

We have a thriving credential theft industry on our hands, so I'm not sure we can claim TLS is an undeniable success. It's true that many phishing sites don't bother turning on TLS. They don't have to, because lots of banks and things don't serve their credential forms over TLS. They don't have a pleasant choice. It should be obvious that a data stream opaque to intermediaries has several desirable properties, but scalability and reusability are not among them. Besides, it's not like it's impossible to improve on Basic, Digest, and Forms with Cookies. Here is a Python example.

"Both of these standards address identity propagation, message encryption, and message integrity only, and neither will protect you from the threats just mentioned."

Well, some of WS-Security might. I am afraid to read it. I can tell you that the example above will prevent hostile servers from reusing credentials, unless they have broken more than one cryptographic primitive.

I cannot remember an app since 1998-99 that didn't have layers and layers of intermediaries.

Paul Downey says:

I trust the water piped directly to my house, but I’m more careful when it comes to packages which flop through my letterbox. A signed-sealed envelope delivered by a courier boosts my confidence, but helps a lot more if I know who sent it. So whilst WS-Security offers a little more than just TLS, it’s the thought and effort being expended to establish and exchange identity that currently gives WS-* the security edge over REST. It’s great to see that RESTians are starting to at least see the issue

And I totally agree with Don Park's assertion that:

As far as I am concerned, REST and SOAP are both tools. It’s better to focus on what each tool is better at than fighting over which is better.

If I need message level security today, my choices are limited. So just in case people are sitll wondering why we'd need message level security in some cases perhaps this story is helpful

“Using the methods outlined by the researchers, a hacker could siphon off thousands of PIN codes and compromise hundreds of banks, said Odelia Moshe Ostrovsky, the report’s principal author. Criminals could then print phony debit cards and simultaneously withdraw vast amounts of cash using ATMs around the world, she said. ... Word of the apparent security flaw first surfaced two weeks ago, when Ostrovsky and other researchers at Algorithmic Research (ARX) published a paper stating that it would be possible for someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules.

When consumers enter their personal identification numbers, or PINs, into an ATM, the PIN and account number must travel through several computers on a special network before they arrive at their home bank for verification. The data is encrypted immediately after it’s entered at the ATM into what is known as a PIN block, then sent on its way.

Rarely does the transmission go directly to a consumer’s bank. Instead, it is handed off several times on a banking network run by several third parties. Each time a bank passes the data along, it goes through a switch that contains the hardware security module and the PIN block is unscrambled and then rescrambled. It is at these intermediate points where hackers could trick the machines into divulging PINs, the ARX researchers said.

Any similarity between this and corporate data centers is strictly uninentional

“We show in these attacks that using only (a single) function we can reveal the content of every PIN block as if it’s not encrypted,” said Ostrovsky.

PINs thought to be unassailable in transit
The attack theory is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. But the ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries that would enable criminals to make educated guesses about – and possibly break — the encryption code.”

Ostrovsky said her company shared the research with the Visa credit card association’s risk management team and other U.S. financial industry security experts six months ago, and recommended systemwide ATM network changes. But U.S. banks weren’t reacting fast enough to the risk, she said, so ARX decided to go public with its information and two weeks ago published a paper titled “The Unbearable Lightness of PIN cracking,” which is now available on the Internet (in Adobe Acrobat format).

Kim Bruce, a spokeswoman for the Secret Service, confirmed that the agency had been in contact with ARX to discuss the paper’s findings, but declined to provide additional detail.

Some questions to ponde. Where does your app terminate SSL? AT the firewall? At F5? At the web server? What is the lifecycle of the data that your REST app sent? How is the message itself protected?

Russian-language Web sites are abuzz with discussions about ATM network attacks, including discussion of the Israeli report, according to data gathered by the Secret Service and viewed by MSNBC.com.

“In the fall of 2005 work for everyone was so successful because an employee of one of America's processors sold a database of material that went through its processing center,” wrote a hacker who belongs to an online gang called Mazafaka, according to an English translation of a Russian Web site compiled by the Secret Service. “This material was then successfully exploited by our carder friends. The consequences of this deal could even be monitored on CNN, as well as in our own work (this applies to cashers). You may have noticed that after this event, ATMs more and more frequently give ‘transaction declined’ notices or give a small sum on the first transaction and then block the card.”

In another exchange cited in the Secret Service memo, a hacker offers to pay for databases of encrypted PINs, which theoretically should be useless someone had discovered a way to translate the data into valid PINs. In still another post, one claims to have recovered account data by “hijacking” hardware security modules

The biggest issue beyond he point to point nature of SSL is that it is an all or nothing proposition

The attacks described in the ARX paper could not be conducted remotely over the Internet. They would require a criminal to be on the same local network as the hardware security module. Because ATM switches are heavily guarded and monitored, such access is unlikely, argued a BITS representative, who spoke on condition of anonymity.

But such ATM switches can be located anywhere in the world, Ostrovsky countered. That creates a “weakest link” vulnerability in which one poorly guarded switch could theoretically be used to compromise every bank whose debit cards have flowed through that switch, she said.

Each switch contains a hardware security module, which is a simple computer in a tamper-proof box designed to perform a few PIN-related functions, beginning with decrypting and encrypting. But the boxes also contain other small programs, or functions, which allow the machines to change a customer’s PIN or calculate other PIN-related values. Most ATM switches don’t need these tools; however, they are often available by default.

This unnecessary software is exploited in some of the attacks described by ARX, which recommends that switch operators turn off the unnecessary functions. But even that’s not enough, Ostrovsky said. The one essential function of a switch -- encrypting and decrypting, a process known as “translate” -- is all an attacker needs to trick the machine into divulging PINs, a hack that would put nearly every ATM switch at risk, she said.

“This is not an attack on a certain configuration or installation. This is an attack on the protocol itself. It must be updated,” Ostrovsky said.

There are competing protocols, or PIN block formats, in use in the ATM network, and each machine must support all those formats, she explained. In one version, the 16-digit PIN block contains two formatting characters, four PIN characters, and 10 additional slots with information about the customer’s account number. That’s the standard used in the U.S. Another standard combines the formatting characters and PIN characters with random digits, and sends the account number separately.

The translate function not only assists in encrypting – it also allows the machine to translate the PIN block from one format to another. This allows an attacker to take advantage of the weaknesses of both, creating“least-common denominator” vulnerability, Ostrovsky said.

The BITS representative who spoke on condition of anonymity conceded such attacks are feasible, but called the risk “very, very, very, very remote.” He added that bank robbers have much easier ways of stealing money than complicated PIN prediction tactics.

Litan is not so sure. She said the research paper undermines the basic premise of ATM network security – the idea that only a computer loaded with the encryption key created by the issuing bank can reveal a PIN.

“The premise was ‘It doesn't matter what happens along the path,’ so even people who could access the PIN blocks couldn’t do anything with them,” she said. “This blows that out of the water.”

And finally

Bank industry officials point out that the attacks must be carried out by someone with direct access to an ATM switch, limiting the potential for abuse. But Litan said the limitation is hardly reassuring.

“It’s not much comfort that they have to be on the inside,” she said. “As we’ve already seen, it’s easy for criminals to open up their own ATM network. And banks do have insiders with flaws.”

I think a technology that is geared towards interoperability, should be able to have an end to end security model which accepts there will be multiple intermediaries in play. Brian Snow termed this "if we cannot trust, how can we safely use?"

REST Security (or lack thereof)

So the whole REST security thing just gets funnier, the S for Simple folks forget that S also stands for security. Here was a response to my post on the fact that people who say REST is simpler than SOAP with WS-Security conveniently ignore things like, oh message level security:

HTTP Basic or HTTP Digest or SSL (certificate-based) for authentication. SSL for encryption and digital signatures. You know, the way we've been doing things since 1995.

Where to start? Right, it was state of the art in 1995. no bout a doubt it. The world has moved on slightly since then. You know a couple 97 million stolen identities, endless phishing/pharming (growing double digit pct each month), malware taking 60% cpu utilization on consumer desktops. You know little stuff like that

HTTP Basic? The hell you say. Here is a round up of ways to break and/or bypass that. There are only 5 listed however.

Report:

Warning of Al Qaeda cyber attack on finance sites
The US government has warned financial services companies of an Al Qaeda call for a cyber attack against online stock trading and banking websites beginning today

Don't worry about that boss, I put HTTP Basic in front of our apps!

SSL? My friend Daniel opined thusly about the wisdom of SSL and REST:

It's nice to run it all over HTTPS, so now the
gigantic hole you made in the firewall will provide some privacy for
me as I dig through your customer's credit card numbers...

You just have to love a point to point security model in a system that last time I checked is supposed to be about interoperability.

Hey boss, where should I put that SSL thingie again?

Now if you are at all serious about putting some security mechanisms in to your REST there are some good examples. One being Amazon's developer tokens using HMAC for authentication at the message level (you know where the data is). But if you are going to say that REST is so much simpler than SOAP then you should compare REST with HMAC, et. al. to the sorts of encryption and signature services WS-Security gives you and then see how much simpler is. And, you know, maybe even see, oh golly gee I don't know, which one protects your customers' data better? Until then, we'll just continue (as Gene Spafford said) using an armored car to deliver between someone living in a cardboard box and someone living on a park bench.

Update: Part 2 (in which we achieve after fashion and many comments something resembling consensus and an action plan to improve REST security) is here