Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Securing XML-RPC webservices
- Rutger Claes
April 13, 2005, 2:29 pm
rate this thread
How do you secure XML-RPC? I'm having troubles coming up with a solution
for these problems:
I don't have my own public ip, so ssl is not an option. I was looking
at the OTP specification. Does anybody know a PHP implementation of
OTP (one time passwords) as that would solve the problem of
The XML-RPC service will provide personal information about people. It
has to be encrypted. Remember, no ssl. Is there any support for
encryption in XML-RPC ( or SOAP ).
If I were to implement some sort of encryption using the OTP's response
to encrypt the messages, would it be best to encrypt the entire XML
function call and function response, only the CDATA fields of the XML or
only the parameters and the response?
What I need is: a secure XML-RPC connection across an insecure line. Are
there any articles on the internet or any standards to use? Is there
support for this in XML-RPC or SOAP by default?
Thanks in advance,
Rutger Claes email@example.com
Replace tld with top level domain of belgium to contact me pgp:0x3B7D6BD6
Do not reply to the from address. It's read by /dev/null and sa-learn only
Re: Securing XML-RPC webservices
Rutger Claes wrote:
Same way you secure any HTTP based data....which is pretty much how you
secure any IP data.
Critical issue is how much control you have over the 2 ends of the
Not having a public IP doesn't prevent you from using SSL.
You could setup a VPN....you could use challenges and hashes to authenticate
without sending cleartext passwords...you could use the mcrypt library for
symmetric encryption....you could use the PHP TEA implementation for
symmetric encryption...you could shell out to another program like PGP or
openSSL to use assymetric encryption...