My buddy Gunnar Peterson has recently been raging about the inadequacies of REST security, pointing out that RESTful folks who equate transport-level confidentiality (such as SSL provides) with “security” are only partly right. Gunnar makes some fairly involved references (Neal Stephenson) to make the point.
Of course, Gunnar is right.
When I speak with people about application security, I try to use a few snappy analogies to drive the point home. And with respect to the difference between transport-level security and message-level security, the analogy I use is to compare SSL to a concrete sewer pipe. You may not be able to break into it, but you sure as hell have no idea what’s flowing through it.