RE: .NET Form Client Connection to .Net Web Service via SSL
- From: "CESAR DE LA TORRE [MVP]" <cdltll@xxxxxxxxxxx>
- Date: Thu, 20 Oct 2005 13:50:01 -0700
BTW, about security using WebServices (Encrypt, Sign, Auth, etc.), the best
way you can control everything, AT MESSAGE SOAP LEVEL (instead at protocol
level like SSL), is using WS-Security specifications (part of WS-*
specifications).
Microsoft WS-* specifications are being implemented by Microsoft in the
following ways:
- WSE 2.0 SP2 ("Web Services Enhancements" - Current release version)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FC5F06C5-821F-41D3-A4FE-6C7B56423841&displaylang=en
- WSE 3.0 Beta ("Web Services Enhancements" - Next version)
http://www.microsoft.com/downloads/details.aspx?FamilyId=2896249A-D107-4F19-B8E7-B01DA67A5C02&displaylang=en
- WCF (Windows-Communication-Foundation, codename "INDIGO"). This is the
future in communications over Windows Platform (Windows Vista and Windows
Longhorn Server):
http://www.microsoft.com/downloads/details.aspx?FamilyID=23a22468-5807-4ff7-a363-ce6fe69b8f04&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyId=CE888B4C-CCBD-452F-9D90-F4B7190CCA24&displaylang=en
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]
Renacimiento
[Microsoft GOLD Certified Partner]
"CESAR DE LA TORRE [MVP]" wrote:
> If you are using SSL with a 128-bit Server Certificate, it is quite secure.
> Its encription would be very difficult to break. BUT, DO NOT use a 64-bit
> Server Certificate, it is not very secure.
> About the other question, If you want to make sure about encryption, you can
> use any Sniffer to take a look to the Traffic, so you'll see it is encrypted.
> Anyway, if your URL is 'HTTPS', it is being encrypting, for sure. ;-). You
> cannot use HTTPS without encrypting.
>
> For SSL Communication (SSL provides just end to end encryption) you only
> need a Server Certificate, you don't need any Client Certificate. Client
> Certicates are for AUTHENTICATION and DIGITAL-SIGNING, not for encrypting.
> Also. you could authenticate either with Client-Certificates or any other
> credentials, like "user-password", Windows-Integrated.
> --
> CESAR DE LA TORRE
> Software Architect
> [Microsoft MVP - XML Web Services]
> [MCSE] [MCT]
>
> Renacimiento
> [Microsoft GOLD Certified Partner]
>
>
> "JeffreyT" wrote:
>
> > Hi Experts,
> >
> > I consider myself an advanced .NET developer but I am new to SSL. My
> > question is both simple and perhaps foolish.
> >
> > I have a .NET Form client consuming a .NET WS via an https request.
> > I've setup a server-side certificate through a Certificate Authority.
> >
> > I am using ICertificatePolicy, in my client code, to override the
> > validation of the server certificate. Hence, by default I think I am
> > telling the client app to just go ahead and assume the server-side
> > certificate is valid.
> >
> > My questions are the following:
> > 1) How do I know if the communication channel is "truely" secure? Is
> > my data really being encrypted?
> > 2) Do I really not need a client-side certificate to use SSL for client
> > to server communication in my windows form app?
> >
> >
.
- References:
- .NET Form Client Connection to .Net Web Service via SSL
- From: JeffreyT
- .NET Form Client Connection to .Net Web Service via SSL
- Prev by Date: Re: Cannot connect to Web service or ASP.NET website from another mach
- Next by Date: WSE 2.0 - SoapHeaders, Signatures and DigestValue
- Previous by thread: .NET Form Client Connection to .Net Web Service via SSL
- Next by thread: Re: Cannot connect to Web service or ASP.NET website from another mach
- Index(es):
Relevant Pages
|
Loading
