"But the fundamental problem is that SOAP is a poorly designed protocol designed with no eye to security, and built largely for the convenience offered because most firewalls will let through http traffic. This was said pointed out a long time ago by Bruce Schneier, but it is amazing how many people have missed the basic point. The point is that firewalls are retroactive protection for security mistakes in applications. If applications seek new ways around firewalls but continue to make the same basic mistakes then you are guaranteed to get into a situation where firewalls need to retroactively filter a more complicated protocol."