Regarding REST, I'm not sure I understand how a REST web service can be as secure as a SOAP web service. My problem is with URLs, which are typically cached all over the place. You can infer a lot more information about a bunch of URLs that were invoked when interacting with a REST-based service. Consider accessing one's email. If you get your email via a REST service, then one can get a lot more information from URLs saved proxy logs. Presumably, there is a GET request to a different URL for each message that you read, and from a POST request, you may infer that a message was sent. If you get your messages via a SOAP service, the proxy logs will show only repeated requests to a single URL, so it's much harder to infer information. In another situation, a REST service would assign a URL to a receipt or other sensitive document, which would give crackers a good starting point for their attempt to get sensitive information (such as guessing a password).
Posted by Doug Sauder at May 22, 2002 11:47 AM