Simon Fell > Its just code > web services

Saturday, August 30, 2003

No doubt you've seen the announcement of the first rev of the web services. I just whipped up some PocketSOAP code to call it. It uses a WS-Security UsernameToken to pass around your credentials, and whilst your password is digested on the wire, the client gets to pick the Nonce, there's no server challenge part, so whilst you can't work out the original password from a wire trace, there's no need, the included password digest and nonce values are all you need to access the API. Completely open to replay attacks / sniffing credentials, and at the end of the day I don't see how this is anymore secure than standard HTTP basic authentication. On the other hand its a massive improvement over the clusterfuck that is the MS-CRM web services API. (in terms of the API design, not the authenication model, MS-CRM uses IIS's HTTP based authenitication support)