Anyone care to express their two cents over pros and cons of encrypting the
data being transmitted (within the SOAP package) versus just utilizing a
HTTPS connection?
Richard Rosenheim
7  4052 
My experiences are that from a performnace stance they are about the
same. However, I thought encrypting the SOAP message was simplier.
not to mention using HTTPS is also transport specific. If you want to
use a different protocol such as TCP. Then you are going to need
another mechanism for encrypting your transmissions. I think
eventually the development community will realize sending SOAP messages
via HTTP does not perform well, and maybe using a simplier protocol
like say TCP would be more efficient. My suggestion is to encrypt the
SOAP package that way your encryption is independent of the transport
mechanism you are sending you SOAP messages on
Keenan Newton wrote: My experiences are that from a performnace stance they are about the
same. However, I thought encrypting the SOAP message was simplier.
not to mention using HTTPS is also transport specific. If you want to
use a different protocol such as TCP. Then you are going to need
another mechanism for encrypting your transmissions. I think
eventually the development community will realize sending SOAP messages
via HTTP does not perform well, and maybe using a simplier protocol
like say TCP would be more efficient. My suggestion is to encrypt the
SOAP package that way your encryption is independent of the transport
mechanism you are sending you SOAP messages on
Hello
Did you consider what is easier for your web service clients - to use
custom message encryption, or to use standard SSL connection? There is
no performance gain in using custom encryption, so why choose it?
When you introduce a nonstandard encryption you put a requirement on
your clients to write and maintanin some specific code - that means
bugs, problems, unknown level of compatibility, no portability...
With HTTPS + SOAP you have everything standard, compatible, easy to set
up and maintain and, well, guaranteed to work. And you don't have to
reinvent the wheel when it comes to, for example, client authentication.
You aren't also limited to HTTP with the HTTPS - SSL supports any
application-level protocol, not only HTTP - it is a transport layer just
as TCP.
Best regards,
Rafal Gwizdala
Thanks for both replies.
In considering your points (and I didn't think about possibility that some
day something besides HTTP/HTTPS could possibly be utilized), it seems that
staying with basic web service protocol and utilizing HTTPS is probably the
best approach to take today.
Yes, the inefficiency of character-based messages (in comparison to binary
data) does bother me. But, I'm not aware of any standard currently in place
to help out in this matter. Utilizing remoting doesn't seem to be the way
to go, especially with Microsoft says that remoting is on it way out.
Richard Rosenheim
"Rafal Gwizdala" <gw*****@poczta.onet.pl> wrote in message
news:Ou**************@tk2msftngp13.phx.gbl... Keenan Newton wrote: My experiences are that from a performnace stance they are about the
same. However, I thought encrypting the SOAP message was simplier.
not to mention using HTTPS is also transport specific. If you want to
use a different protocol such as TCP. Then you are going to need
another mechanism for encrypting your transmissions. I think
eventually the development community will realize sending SOAP messages
via HTTP does not perform well, and maybe using a simplier protocol
like say TCP would be more efficient. My suggestion is to encrypt the
SOAP package that way your encryption is independent of the transport
mechanism you are sending you SOAP messages on
Hello
Did you consider what is easier for your web service clients - to use
custom message encryption, or to use standard SSL connection? There is
no performance gain in using custom encryption, so why choose it?
When you introduce a nonstandard encryption you put a requirement on
your clients to write and maintanin some specific code - that means
bugs, problems, unknown level of compatibility, no portability...
With HTTPS + SOAP you have everything standard, compatible, easy to set
up and maintain and, well, guaranteed to work. And you don't have to
reinvent the wheel when it comes to, for example, client authentication.
You aren't also limited to HTTP with the HTTPS - SSL supports any
application-level protocol, not only HTTP - it is a transport layer just
as TCP.
Best regards,
Rafal Gwizdala
Ummm well Rafal, I have some concerns with reply. First. WS-Security
is a standard; nothing custom about the specification. Secondly, using
SSL is only good point to point in other words from a client to server.
Using WS-Security the SOAP packet can be encrypted along the entire,
say between queues. I rather have my encryption at the message level,
not the transport level. This way I have better control of the
security and integrity of my data throughout my application
Keenan,
Just to give food for thought regarding your comments.
In one of the projects I'm working on, support for PocketPCs (and
potentially, possibly even Palms) is a requirement. Currently, PocketPC
does not have support for WS-Security. That means either having to (a) wait
for Microsoft (or someone else) to support WS-Security on the PocketPC, (b)
implement WS-Security myself, or (c) roll my own encryption scheme utilizing
one of the cryptographic algorithm supported by the PocketPC and the Palm.
Waiting isn't a preferred option, and both (b) and (c) would mean a lot of
additional development and testing on our side. And, increase the
complexity for anyone else wishing to utilize the web services. Or, we just
utilize HTTPS/SSL and live with that.
Richard Rosenheim
"Keenan Newton" <ka*********@yahoo.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... Ummm well Rafal, I have some concerns with reply. First. WS-Security
is a standard; nothing custom about the specification. Secondly, using
SSL is only good point to point in other words from a client to server.
Using WS-Security the SOAP packet can be encrypted along the entire,
say between queues. I rather have my encryption at the message level,
not the transport level. This way I have better control of the
security and integrity of my data throughout my application
Well both solutions haev there pros and cons. Again I wouod use SSL as
a last resort as it transport specific. If you got to use SSL then
thats fine. There isn';t a silver bullet out there unfortunately and
you are going to ahve to consider your choices and options. And
sometimes you don't have an option such as in the case of the .Net CF.
Happy coding
"Keenan Newton" <ka*********@yahoo.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... Ummm well Rafal, I have some concerns with reply. First. WS-Security
is a standard; nothing custom about the specification. Secondly, using
SSL is only good point to point in other words from a client to server.
Using WS-Security the SOAP packet can be encrypted along the entire,
say between queues. I rather have my encryption at the message level,
not the transport level. This way I have better control of the
security and integrity of my data throughout my application
Well, WS-Security is a standard, from what I know, but
1. The original question did not mention Ws-Security as an alternative to
HTTPS, I understood it as a custom encryption option vs HTTPS.
2. It is quite a young standard, with unknown level of support among
software vendors
But, If HTTPS was not an option, I would of course turn to WS-Security or
some other secure messaging standard, such as S/MIME. But in case of web
services, when you want just a secure communication layer, SSL is probably
the simplest and most efficient.
Best Regards
Rafal Gwizdala This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ed J |
last post by:
I need some sort of file encryption that I can invoke from my PHP web pages,
to protect sensitive files uploaded/downloaded by clients.
I use https (SSL) for the upload/download, but once the...
|
by: steve |
last post by:
Hi,
I know there are a few free and paid php source code encryption
scripts around. Has anyone used one, and any feedback?
I am interested in encrypting source that is placed on a remote host....
|
by: cmrchs |
last post by:
Hi,
Using the RSA-crypto algorithm in .NET , when actually encrypting/decrypting, all the code samples I ran into always used something like, to encrypt :
// create keypair and store in...
|
by: cmrchs |
last post by:
Hi,
Using the RSA-crypto algorithm in .NET , when actually encrypting/decrypting, all the code samples I ran into always used something like, to encrypt :
' create keypair and store in...
|
by: Charlie King |
last post by:
I'm trying to send data to a remote script (a credit card processing
third party) from my site using POST.
Currently, I'm doing it using the ususal form dynamically built with
my values.
This...
|
by: Parrot |
last post by:
I cannot get an answer as to why my session state no longer remains active
between webpages after working for 2 years. So I want to try to pass data
thru query strings in my url. I tried to use...
|
by: Cord-Heinrich Pahlmann |
last post by:
Hi,
I have written a tool wich de/encrypts a few of my forum and
bloggin-Passwords.
My question is how secure it is.
The following describes how I have encrypted my passwords.
When I log in,...
|
by: SeeSharp Bint |
last post by:
Visual Studio 2005, dotnet, c#. Microsoft SQL Server. Windows XP forms
application.
Temporarily, for my database application, I have been storing the various
elements of database connection...
|
by: Tery |
last post by:
I'm trying to implement the Handango.com HTTP POST registration method. The
instructions are here:
http://www.handango.com/marketing/developerTeam/HTTP_Post_Reg_Model_How2.doc
I'm stuck on how...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
