 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2005Encrypting data vs using HTTPS?
Anyone care to express their two cents over pros and cons of encrypting the data being transmitted (within the SOAP package) versus just utilizing a HTTPS connection? Richard Rosenheim My experiences are that from a performnace stance they are about the same. However, I thought encrypting the SOAP message was simplier. not to mention using HTTPS is also transport specific. If you want to use a different protocol such as TCP. Then you are going to need another mechanism for encrypting your transmissions. I think eventually the development community will realize sending SOAP messages via HTTP does not perform well, and maybe using a simplier protocol like say TCP would be more efficient. My suggestion is to encrypt the SOAP package that way your encryption is independent of the transport mechanism you are sending you SOAP messages on > My experiences are that from a performnace stance they are about the > same. However, I thought encrypting the SOAP message was simplier. [quoted text clipped - 6 lines] > SOAP package that way your encryption is independent of the transport > mechanism you are sending you SOAP messages on Hello Did you consider what is easier for your web service clients - to use custom message encryption, or to use standard SSL connection? There is no performance gain in using custom encryption, so why choose it? When you introduce a nonstandard encryption you put a requirement on your clients to write and maintanin some specific code - that means bugs, problems, unknown level of compatibility, no portability... With HTTPS + SOAP you have everything standard, compatible, easy to set up and maintain and, well, guaranteed to work. And you don't have to reinvent the wheel when it comes to, for example, client authentication. You aren't also limited to HTTP with the HTTPS - SSL supports any application-level protocol, not only HTTP - it is a transport layer just as TCP. Best regards, Rafal Gwizdala Thanks for both replies. In considering your points (and I didn't think about possibility that some day something besides HTTP/HTTPS could possibly be utilized), it seems that staying with basic web service protocol and utilizing HTTPS is probably the best approach to take today. Yes, the inefficiency of character-based messages (in comparison to binary data) does bother me. But, I'm not aware of any standard currently in place to help out in this matter. Utilizing remoting doesn't seem to be the way to go, especially with Microsoft says that remoting is on it way out. Richard Rosenheim > > My experiences are that from a performnace stance they are about the > > same. However, I thought encrypting the SOAP message was simplier. [quoted text clipped - 24 lines] > Best regards, > Rafal Gwizdala Ummm well Rafal, I have some concerns with reply. First. WS-Security is a standard; nothing custom about the specification. Secondly, using SSL is only good point to point in other words from a client to server. Using WS-Security the SOAP packet can be encrypted along the entire, say between queues. I rather have my encryption at the message level, not the transport level. This way I have better control of the security and integrity of my data throughout my application Keenan, Just to give food for thought regarding your comments. In one of the projects I'm working on, support for PocketPCs (and potentially, possibly even Palms) is a requirement. Currently, PocketPC does not have support for WS-Security. That means either having to (a) wait for Microsoft (or someone else) to support WS-Security on the PocketPC, (b) implement WS-Security myself, or (c) roll my own encryption scheme utilizing one of the cryptographic algorithm supported by the PocketPC and the Palm. Waiting isn't a preferred option, and both (b) and (c) would mean a lot of additional development and testing on our side. And, increase the complexity for anyone else wishing to utilize the web services. Or, we just utilize HTTPS/SSL and live with that. Richard Rosenheim > Ummm well Rafal, I have some concerns with reply. First. WS-Security > is a standard; nothing custom about the specification. Secondly, using [quoted text clipped - 3 lines] > not the transport level. This way I have better control of the > security and integrity of my data throughout my application Well both solutions haev there pros and cons. Again I wouod use SSL as a last resort as it transport specific. If you got to use SSL then thats fine. There isn';t a silver bullet out there unfortunately and you are going to ahve to consider your choices and options. And sometimes you don't have an option such as in the case of the .Net CF. Happy coding > Ummm well Rafal, I have some concerns with reply. First. WS-Security > is a standard; nothing custom about the specification. Secondly, using [quoted text clipped - 3 lines] > not the transport level. This way I have better control of the > security and integrity of my data throughout my application Well, WS-Security is a standard, from what I know, but 1. The original question did not mention Ws-Security as an alternative to HTTPS, I understood it as a custom encryption option vs HTTPS. 2. It is quite a young standard, with unknown level of support among software vendors But, If HTTPS was not an option, I would of course turn to WS-Security or some other secure messaging standard, such as S/MIME. But in case of web services, when you want just a secure communication layer, SSL is probably the simplest and most efficient. Best Regards Rafal Gwizdala Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.