Steve Lamb's Blog

Security Matters

Blogs

A "Plain English" description of what we mean by RPC over HTTP(S)

  • Comments 1
  • Likes

Eileen's posted a nice concise description explaining "what is RPC over HTTP(S)".

As we move away from requiring Virtual Private Networks (VPNs) to using Secure Socket Layer (SSL) as a transport we gain flexibility, a better user experience and a reduced Attack Surface.

Consider the common scenario of picking up your email from a remote network location. If you establish a VPN connection from your client to the corporate network you effectively have the same level of access to resources that you would have when working in the office. If you're only picking up email and surfing the web DO YOU REALLY NEED access to any other corporate applications services or file systems? The more you have access to the more opportunity exists for compromise.

If you are running Microsoft Outlook 2003 (or above) together with Microsoft Exchange Server 2003 you can take advantage of "RPC over HTTP". RPC over HTTP effectively opens up a secure connection from your client computer to the Exchange server thereby removing the need to use a full VPN.

RPC over HTTP actually uses the Secure Socket Layer (SSL) protocol as a transport for the traffic. SSL mandates that the server authenticates itself to the client using a digital certificate (and associated private key). SSL is normally configured to encrypt traffic before transmitting it between the server and client and vica versa.

Note: I have seen examples of production systems (on the Internet) that have been poorly configured to use zero bit encryption - the "padlock" SSL icon still shows. Such cases are thankfully very rare. I first observed such a configuration on an online trading site that I'd planned to use - needless to say I declined transacting with the site. The problem is that very few people check the status of the certificates and therefore wouldn't notice such a configuration. Internet Explorer 7 takes the complexity out of this scenario by graphically representing suspect websites with a Red coloured address bar.

 most use of RPC over HTTP(S) - Microsoft Outlook client communicating with Microsoft Exchange Server.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment