Comment by stouset

Comment by stouset a day ago

30 replies

View on Hacker News

SAML is absolutely insane. It’s three separate specs: one that defines what every XML element means semantically, one that defines multiple document models that you might want to combine those to use, and one that talks about network protocols you might want to use those documents in.

It’s insane and inscrutable.

I previously worked at the company that first created this gem. It was not written based off actually reading the spec. It was based off a loose examination of what other legitimate docs in the wild looked like, and built to parse those.

Which of course meant that early on it was vulnerable to everything since it was built to fit positive results and not negative ones. This isn’t even the first XML signature issue: early released versions didn’t even bother to check that the part being used was the part that was signed. If any part of the doc was signed and valid it was good to go.

Fun times.

userbinator a day ago

In my experience, anything XML-related seems to be the product of simplicity-hating architecture astronauts with zero consideration for efficiency, possibly as a way of justifying their existence and continued employment.

Standards based on ASN.1 get a lot of hate (X.509 etc.) but I'd rather work with that than XML.

Reply View 23 replies
  • darby_nine 14 hours ago

    > In my experience, anything XML-related seems to be the product of simplicity-hating architecture astronauts with zero consideration for efficiency, possibly as a way of justifying their existence and continued employment.

    I am very confused by people who have emotional reactions to technologies. XML has a number of capabilities that are very difficult to represent in other documents without creating an unreadable mess. XML is more than just the worst SOAP api you've used.

    Reply View 2 replies
    • lcnPylGDnU4H9OF 9 hours ago

      > I am very confused by people who have emotional reactions to technologies.

      Given the phrasing ("simplicity-hating architecture astronauts"), I suspect they're having an emotional reaction to a colleague who, at some point, advocated for their team's use of XML. Which I honestly think is slightly justified if their colleague's advocacy was thoughtless or otherwise unreasonable. Maybe JSON would actually work better for what they were doing. Of course, that said, I also say it's "slightly" justified because good ol' XML did nothing wrong.

      Reply View 0 replies
    • AtlasBarfed 12 hours ago

      ......such as?

      Xml is a hierarchical days structure that has less data hinting to parsers /serializes than json.

      Please don't say namespaces. Broke xpath and other parsing techs. Attrs vs tags? Cdata? Any one remember ibm web services being all cdata tags?

      Reply View 0 replies
  • zerkten 15 hours ago

    This is very true. You only have to look at the list authors/editors of the specs from Oasis to see that they square up with the individuals identified by Joel in https://www.joelonsoftware.com/2001/04/21/dont-let-architect....

    If XML was removed, these specs wouldn't have been much better. The motivation of the companies sponsoring specs was to build something that sold more enterprise middleware and identity servers. This was never going to be attractive to the individuals working with IETF, or the people working on web standards who'd create WHATWG (I know SAML isn't their domain.)

    Many readers here also won't be aware of how web services, SOAP, and XML were the AI hype of the time. These were getting pushed into every kind of solution. At the same time, the alternative options for document and serialization formats weren't ubiquitous, so having XML everywhere was somewhat pragmatic for the average developer. I can't imagine ASP (or early-.NET) developers trying to deal with ASN.1.

    Reply View 0 replies
  • amluto a day ago

    I find XML to be perfectly fine as a markup language. I once set up a system to generate logs as XML elements and display them prettily with XSLT. It was delightful!

    Using XML as an interchange format for things intended to be read by a machine is not so great. Don’t use it where you actually want something more like protobuf.

    Reply View 3 replies
    • bawolff a day ago

      XML isnt great for that, but the xml part is the least of the concerns. XSignature and SAML are insane specs, and would still be insane if the underlying presentation language wasnt xml (i mean, then you wouldnt be using xsignature, but if you made sone xsignature like thing for a different presentation language, it would still be crazy)

      Reply View 1 reply
      • amluto 9 hours ago

        Signatures in XML are nuts. So is all the mess built around RPC in XML, although IMO that’s not as bad as signatures.

        But the problem with signatures has nothing to do with XML per se in my opinion. I could just as easily come up with a similarly poor signature scheme in HTML (snicker), nasty C structs with endian issues, MIME, or even plain English. Hah, someone should make a signature scheme meant to be verified by an LLM that parses it and calls out to a helper to do the actual math :)

        Seriously, though, signing XML well is easy. Take some XML, serialize it to bytes, sign with libsodium, and transport the bytes of XML and the bytes of signature. But do not get cute and transport the signed XML as a subtree in another XML document: the bytes must bytes until the signature is verified. You could maybe get away with sticking it in another document as CDATA [0], but base64 would be better, since you basically can’t screw it up.

        And it’s entirely possible to screw even this up JOSE-style if you lose track of what a “key” is. DO NOT have the signed (document, signature) tuple specify the signature algorithm or parameters. All of that is part of the public key, which the verifier (obviously) needs to acquire out of band.

        [0] Someone may pwn, or at least massively confuse, you if you do this. Imagine what happens if the inner and outer documents have different character encodings.

        Reply View 0 replies
    • jahewson a day ago

      I like your take and I think it is demonstrated by the fact that JSX is nice and YAML is awful.

      Reply View 0 replies
  • zaik 20 hours ago

    XMPP is still a simple and efficient chat protocol. But it makes sure to only allow a sane subset of XML.

    Reply View 3 replies
  • gwervc 19 hours ago

    You are throwing the baby with the bath water. XML is fine, even if it has some gotcha. Astronauts will go wild with any tech at their disposal (I'm seeing it every day at work with .net and JSON).

    Reply View 0 replies
  • tannhaeuser a day ago

    You're not wrong. The amount of fields of use where XML is used bogusly which have nothing to do with markup is truly staggering. XML signing and relying on canonical XML serialization for it is just peak and something else.

    The sad thing is that XML was meant as a simplification over full SGML for delivery of markup on the web. Specifically, XML is always fully tagged (doesn't make use of tag inference), and does neither have empty ("void") elements nor short forms for attributes such as in <option selected>. Thus XML never needs markup declarations for special per-element or per-attribute parsing rules. This was done to facilitate newer vocabularies next to HTML like SVG and MathML.

    But soon enough, folks took the XML specification as an invitation for complexity and a self-serving spec circus: namespaces, XInclude (as a bogus replacement for entity expansion), XQuery, XSLT, XML Schema as a super-verbose replacement for DTDs using XML itself, etc. XHTML 2 was the largest failure and turning point, introducing not just a new vocabulary, but trying to reinvent how browsers work in a design-by-comittee fashion. It could be said that XHTML took W3C down along with it.

    For message payloads in large and long-term multi-party projects (governments, finance/payments, healthcare, etc.), I'm however not sure the alternatives (JSON-over-HTTP and the idiotic quasi-religious apeal to misunderstood "REST" semantics) is really helping. XML Schema, while in part overkill and unused (substitution groups), certainly has facilitated separating service interface from service implementation, multiple generations and multiple implementations, test cases bases, and other long-term maintenance goals.

    Reply View 9 replies
    • eftpotrm 19 hours ago

      I'm not going to argue that XML hasn't been used badly and excessively in a lot of places, it really has, and using every part of it religiously will tie you in knots, fast.

      But I can't help noticing that Json is gaining more and more XML-like functionality through things like schemas and JsonPath, as people slowly realise why XML had those functions they're now having to replace. I'm a long way from convinced that all the engineering effort to switch was actually beneficial.

      Reply View 5 replies
      • dwaite 12 hours ago

        And schema and paths have much the same issues - they are being used as tools in things like network-exchanged messages when the underlying specs and the implementations out there were not designed with that idea in mind.

        You are going to have a bad time if your schema validation tries to resolve schema URL by default.

        You are going to have a bad time if your JSONpath implementation supports the older "eval" mechanisms, or has unbounded memory/processing time growth from top-down traversal of the JSON.

        The issue in the article was purposely avoided in JSON by virtue of JWS not having canonicalization, transforms, or partial signatures. You sign a chunk of binary data, and that binary data might be parsable as JSON.

        Reply View 0 replies
      • darby_nine 14 hours ago

        > But I can't help noticing that Json is gaining more and more XML-like functionality through things like schemas and JsonPath, as people slowly realise why XML had those functions they're now having to replace.

        I think there's an analogy here to static typing and gradual typing. XML is a massive pain in the ass to implement and JSON is often good enough. Only having to implement the features you plan on using is quite nice.

        Reply View 2 replies
      • aversis_ 18 hours ago

        Devs just love reinventing the wheel every few years. Maybe we should switch to CSV next just for fun.

        Reply View 0 replies
    • darby_nine 14 hours ago

      > have nothing to do with markup

      Yes, it's a badly named language. It has nothing to do with markup. As always, intentions don't matter at all, and it's the best tool we have for certain types of structures.

      Reply View 2 replies
      • dwaite 12 hours ago

        It is a properly named language. Just a staggering majority of XML use is for a purpose it was not originally designed for. It is meant to be a good tool for progressive enhancement text markup, such as stylizing hypertext or math equations.

        Reply View 1 reply
        • darby_nine 9 hours ago

          > It is meant to be a good tool for progressive enhancement text markup, such as stylizing hypertext or math equations.

          Well, at least hypertext. I've seen the disaster that is MathML.

          Reply View 0 replies
bradly a day ago

I was jamming this gem rails back in 2009-2010 and will tell you we had no idea what we were doing on our side either. We were a couple a Rails devs at a tiny start up implement Qualcomm's SSO and tbh I'm surprised it actually worked.

There wasn't a two-legged oauth gem at the time so I remember writing one and being blowing away at how much I actually understood the OAuth 1.0 2-legged spec.

Reply View 1 reply
ucarion a day ago

You'll be pleased to know that we're not making a ton of progress on the "split things over N docs" front.

In recent years IETF has given us SCIM (which is sort of like "offline SAML") which is 3 RFCs (goals, schemas, http stuff), and of course JWT is actually part of a series of like 9 RFCs (including JWT, of course, but also JWK, JWS, JWE, JWA, ...).

I think there's this phenomenon where people who are like "dude, nobody cares, just do the dumbest possible thing we can get away with" aren't the people who decide to get involved in writing security specs.

Reply View 1 reply
  • victor106 a day ago

    > SCIM (which is sort of like "offline SAML")

    If you are talking about SCIM (System for Cross Domain Identity Management) then it’s very different from what SAML is. SCIM Is used for user provisioning where as SAML is used for SSO.

    Reply View 0 replies
paradox460 a day ago

Hey a fellow ol alum. Boy I have dark memories of what that gem cost

Reply View 1 reply
  • jrozner a day ago

    Also an alum from WAY back (pre-A). One of the first things I did when I started was look at a different wrapping vuln.

    Reply View 0 replies