← back home

Complexity vs. Simplicity: Lessons from the Rise and Retreat of Enterprise Protocols like COM and SOAP

October 13, 2025
Protocol Design Interoperability Complexity Simplicity Developer Experience Api Security Distributed Systems Web Services Rpc Architectural Patterns
View original discussion on Hacker News

The journey of interoperability protocols reveals a recurring tension between comprehensive design and practical utility. Early attempts like COM, SOAP, and CORBA, while ambitious in their goal of enabling seamless communication between disparate systems, often found themselves burdened by complexity, security challenges, and a difficult developer experience.

The Weight of Complexity

Many classic protocols were criticized for being over-engineered. COM, for instance, involved significant ugliness around reference counting, string conversions (BSTRs), and variant types, particularly when programmed with C++. DCOM, built on COM, faced versioning challenges and difficulties with reference counting over networks. CORBA was notorious for being a "monstrously large standard," covering not just communication but entire system architectures.

SOAP, despite its name (Simple Object Access Protocol), became layered with numerous higher-level services, leading to immense complexity in its Web Services Description Language (WSDL) specifications. While SDKs helped abstract some of this, the underlying XML structure was verbose and cumbersome compared to later formats, making quick parsing a high hurdle.

The Allure of Simplicity: REST and JSON

In contrast, the success of what is commonly referred to as "REST"—which is more accurately JSON via HTTP—is largely attributed to its simplicity and flexibility. Developers could easily JSON.parse responses and access fields without needing complex client generation tools. This lighter, looser mechanism resonated deeply with the fast-moving, resource-strapped startups and the evolving landscape of web development, where dynamic HTTP calls from browsers became paramount.

It's important to distinguish this conventional "REST" from Roy Fielding's original definition, often termed HATEOAS (Hypertext as the Engine of Application State). True REST involves hypermedia controls where clients discover available actions and resources from server-provided links, rather than relying on out-of-band documentation like OpenAPI. While elegant, HATEOAS itself is frequently deemed "too much work" in practice, further emphasizing the "worse is better" principle.

Security and Environment Mismatches

Security proved to be a significant pain point for many older protocols. SOAP, relying heavily on XML, was susceptible to vulnerabilities like XML External Entity (XXE) Processing, which could allow attackers to interfere with application logic or access sensitive data. DCOM was designed in an era pre-dating widespread internet adoption, assuming flat, firewall-less networks. Its implicit client-as-server model, where a server might try to call back to a client, became untenable with the rise of firewalls and the need for encryption. Updates to harden DCOM often made administration even more difficult, sealing its fate for internet-facing applications.

Distributed Objects vs. Data Messages

A fundamental shift observed is the move away from distributed object communication (emphasized by COM, CORBA, and early SOAP) towards message formats. Protocols like COM and CORBA explicitly supported object references, allowing clients to interact with remote objects as if they were local. While powerful, this led to issues like obscured call costs (blurring local vs. remote), difficult lifecycle management (servers had to keep objects alive until explicitly released, prone to memory leaks), and complex security models (global namespaces requiring tedious ACLs).

Modern alternatives like REST, JSON, gRPC, and GraphQL primarily focus on message exchange and data structures, sidestepping the complexities of distributed object state management. This aligns with a data-oriented programming approach, where data contracts are prioritized over object abstraction barriers.

Lessons Learned and Modern Approaches

The "failure" of these protocols to achieve universal dominance doesn't mean they vanished. COM and SOAP are still very much alive in corporate IT and industrial automation (e.g., OPC layers on DCOM), where their specific capabilities and robust tooling within certain ecosystems (like Microsoft's) remain valuable. Their story is a testament to how architectural styles, developer experience, security concerns, and environmental evolution shape technology adoption.

Modern RPC systems like Cap'n Proto (and Cap'n Web) revisit the concept of object references but address past pitfalls through:

  • Simplified design: Avoiding the "monstrously large standard" trap.
  • Asynchronous programming and promise pipelining: Crucial for efficient network operations.
  • Improved lifecycle management: Tying object lifetime to connections and client-side scope for automatic disposal.
  • Capability-based security: No global object namespace; permissions are implicitly granted by passing references, offering a more robust security model.

Ultimately, the protocols that gained widespread traction prioritized simplicity, flexibility, and a clearer delineation of client-server roles, proving that often, a simpler, "good enough" solution is better than an overly ambitious, complex one.

Get the most insightful discussions and trending stories delivered to your inbox, every Wednesday.