What are the risks of connecting a Web service to an external system via SSL?

BROWSE BY TAG Identity Management and Access Control,   SSL and TLS VPN Security,   Enterprise Network Security,   Secure VPN Setup and Configuration,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? SSL and TLS VPN Security Expert calls SSL protocol vulnerability a non issue How SSL-encrypted Web connections are intercepted Best Remote Access Products How to set up a split-tunnel VPN in Windows Vista Securing the intranet with remote access VPN security A short enterprise VPN deployment guide Creating an SSL connection between servers Can S/MIME, XML and IPsec operate in one protocol layer? Can secure USB devices prevent man-in-the middle attacks How to secure SSL following new man-in-the-middle SSL attacks Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Secure Shell  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) server accelerator card  (SearchSecurity.com) SSL VPN  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Since Web services involve XML, it would seem that SSL would be adequate protection for SOAP messages and other files being transmitted by HTTP over the Internet. But this isn't always the case, and the answer lies in the difference between the way Web services and other Web applications communicate using HTTP.

SSL is meant for communicating between endpoints. In other words, it protects the confidentiality and integrity of messages between a client and a server communicating over the Internet. It does this by providing an encrypted tunnel, good only for a single session. This is ideal for protecting access from a browser to a Web site and back.

But Web services are transparent to the user and involve applications talking to each other behind the scenes. In addition, unlike a Web transaction, which lasts for a session and is gone, in Web services, these applications are talking continuously to each other. The exchange of keys and certificates for creating a single-use session key for SSL make it impractical for Web services. Also, SSL doesn't manage the access control required for Web services.

In summary, SSL works fine at the transport level, but not for message-level security.

Fortunately, there are a number of XML-based security options available for Web services. These offerings manage the encryption, access control, authentication and data integrity and privacy required for Web services. These product areas include XML encryption, XML digital signatures, XML Key Management Specification (XKMS), Security Assertion Markup Language (SAML), Web Services Security (WS-Security) and the ebXML message service.

In your situation, SAML and digital certificates could be used to secure your Web services implementation. But that doesn't mean SSL can't be used at all for securing Web services. The decision to stick with SSL or use a stronger XML-based method should be based on the size and scope of your application. If the Web services are used for a generic online Web application, then go with SSL. But if it involves complex workflows with Web services moving documents that need to be secured, then SSL won't do and the stronger XML solutions are in order.

For more information: