.NET Form Client Connection to .Net Web Service via SSL

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

JeffreyT - 20 Oct 2005 17:32 GMT

Hi Experts,

I consider myself an advanced .NET developer but I am new to SSL. My
question is both simple and perhaps foolish.

I have a .NET Form client consuming a .NET WS via an https request.
I've setup a server-side certificate through a Certificate Authority.

I am using ICertificatePolicy, in my client code, to override the
validation of the server certificate. Hence, by default I think I am
telling the client app to just go ahead and assume the server-side
certificate is valid.

My questions are the following:
1) How do I know if the communication channel is "truely" secure? Is
my data really being encrypted?
2) Do I really not need a client-side certificate to use SSL for client
to server communication in my windows form app?

Reply to this Message

CESAR DE LA TORRE [MVP] - 20 Oct 2005 21:33 GMT

If you are using SSL with a 128-bit Server Certificate, it is quite secure.
Its encription would be very difficult to break. BUT, DO NOT use a 64-bit
Server Certificate, it is not very secure.
About the other question, If you want to make sure about encryption, you can
use any Sniffer to take a look to the Traffic, so you'll see it is encrypted.
Anyway, if your URL is 'HTTPS', it is being encrypting, for sure. ;-). You
cannot use HTTPS without encrypting.

For SSL Communication (SSL provides just end to end encryption) you only
need a Server Certificate, you don't need any Client Certificate. Client
Certicates are for AUTHENTICATION and DIGITAL-SIGNING, not for encrypting.
Also. you could authenticate either with Client-Certificates or any other
credentials, like "user-password", Windows-Integrated.

Signature

CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

> Hi Experts,
>
[quoted text clipped - 14 lines]
> 2) Do I really not need a client-side certificate to use SSL for client
> to server communication in my windows form app?

Reply to this Message

CESAR DE LA TORRE [MVP] - 20 Oct 2005 21:50 GMT

BTW, about security using WebServices (Encrypt, Sign, Auth, etc.), the best
way you can control everything, AT MESSAGE SOAP LEVEL (instead at protocol
level like SSL), is using WS-Security specifications (part of WS-*
specifications).

Microsoft WS-* specifications are being implemented by Microsoft in the
following ways:

- WSE 2.0 SP2 ("Web Services Enhancements" - Current release version
http://www.microsoft.com/downloads/details.aspx?FamilyId=FC5F06C5-821F-41D3-A4FE
-6C7B56423841&displaylang=en

- WSE 3.0 Beta ("Web Services Enhancements" - Next version
http://www.microsoft.com/downloads/details.aspx?FamilyId=2896249A-D107-4F19-B8E7
-B01DA67A5C02&displaylang=en

- WCF (Windows-Communication-Foundation, codename "INDIGO"). This is the
future in communications over Windows Platform (Windows Vista and Windows
Longhorn Server)
http://www.microsoft.com/downloads/details.aspx?FamilyID=23a22468-5807-4ff7-a363
-ce6fe69b8f04&displaylang=e
http://www.microsoft.com/downloads/details.aspx?FamilyId=CE888B4C-CCBD-452F-9D90
-F4B7190CCA24&displaylang=en

Signature

CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

> If you are using SSL with a 128-bit Server Certificate, it is quite secure.
> Its encription would be very difficult to break. BUT, DO NOT use a 64-bit
[quoted text clipped - 28 lines]
> > 2) Do I really not need a client-side certificate to use SSL for client
> > to server communication in my windows form app?

Reply to this Message

.NET Form Client Connection to .Net Web Service via SSL

Free Magazines