Securing XML-RPC webservices

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

How do you secure XML-RPC?  I'm having troubles coming up with a solution
for these problems:

* Authentication.
        I don't have my own public ip, so ssl is not an option. I was looking
        at the OTP specification.  Does anybody know a PHP implementation of
        OTP (one time passwords) as that would solve the problem of
* Encryption
        The XML-RPC service will provide personal information about people.  It
        has to be encrypted.  Remember, no ssl.  Is there any support for
        encryption in XML-RPC ( or SOAP ).
        If I were to implement some sort of encryption using the OTP's response
        to encrypt the messages, would it be best to encrypt the entire XML    
        function call and function response, only the CDATA fields of the XML or
        only the parameters and the response?

What I need is: a secure XML-RPC connection across an insecure line.  Are
there any articles on the internet or any standards to use?  Is there
support for this in XML-RPC or SOAP by default?

        Thanks in advance,
        Rutger Claes
Rutger Claes                                                   rgc@rgc.tld
Replace tld with top level domain of belgium to contact me    pgp:0x3B7D6BD6
Do not reply to the from address.   It's read by /dev/null and sa-learn only

Re: Securing XML-RPC webservices

Rutger Claes wrote:

Quoted text here. Click to load it

Same way you secure any HTTP based data....which is pretty much how you
secure any IP data.

Quoted text here. Click to load it


Critical issue is how much control you have over the 2 ends of the

Quoted text here. Click to load it

Not having a public IP doesn't prevent you from using SSL.

You could setup a could use challenges and hashes to authenticate
without sending cleartext could use the mcrypt library for
symmetric could use the PHP TEA implementation for
symmetric could shell out to another program like PGP or
openSSL to use assymetric encryption...


Site Timeline