Where is SSL finding traction in securing Web services?
If you look at the different areas where people are using Web services, you find that they
primarily fall into the following categories: (a) Company internal distributed applications that
previously might have used RPC or CORBA
Requires Free Membership to View
or
even DCOM or RMI for inter-application communication; (b) ISVs who are adding a Web services-based
interface to their products, in addition to existing APIs; (c) Internet companies such as Amazon,
Google and eBay, which are exposing part of their service through Web APIs for consumption
|
 |
||||||||||||||||
|
|||||||||||||||||
by programs; and (d) B2B projects that use Web services for intercompany exchange of information.
SSL is great for securing the transport pipe. It has been around for quite some time, most people understand it and the interoperability among various implementations have improved significantly. And although it is not as easy as direct HTTP interactions, moving from HTTP to HTTP over SSL or HTTPS requires, in most cases, simple deployment time configuration changes only, avoiding costly redesign or source-code level changes. Given the array of security areas that get addressed by SSL, privacy, integrity and authentication of end points, use of SSL is indeed very attractive.
For category (a) Web services, the security needs are minimal to start with and are usually
satisfied with moving the transport from simple HTTP to HTTPS. Same for most of the category (b)
uses. Category (c) is interesting. Most of the publicly available Web APIs in this category don't
support even SSL (though, they can without much change). I suspect that most of these are still at
experimental stage and the need for security hasn't been very strong. Category (d) is an entirely
different story. Applications conforming to standards such as ebXML are more demanding and would
require message-level security support. Is SSL suitable for B2B Web service transactions between
suppliers or partners, or is it solely a B2C proposition?
SSL works just fine for transport-level security but breaks down at the message level. If the
requirement is to allow only trusted parties to participate and to secure the data from prying
eyes, SSL fits the bill. But if the requirement is to use multiple transports, say HTTP and then
JMS, and you cannot trust the point that acts as gateway between HTTP and JMS, then you may need to
rethink your security strategy.
But because the message-level security technologies -- such as XML DSig, XML Encryption, WS-Security and many others -- tend to be complex to deploy and hence are yet
to get wide adoption, there is a tendency to use SSL as a starting point. What kinds of hacker
attacks is SSL well suited to hold off? Which would it fail against?
SSL is great at thwarting attacks based on network sniffing. If your data is flowing over SSL, then
you can be sure that no malicious or compromised router would be able to retrieve the data. It is
also great at authenticating the server -- and the client, if you set
up for mutual authentication – by using X.509 certificates. This authentication mechanism is
usually much safer than the password-based authentication of the client, such as HTTP-Basic or
HTTP-Digest or any other plain text token-based authentication.
If the application requires the data to be stored on disk before processing, then SSL can't protect against attacks on that data. This could be a significant consideration for certain Web services-based applications.
However, there are a number of attacks against which SSL -- or for that matter, any technology
-- is going to be ineffective. These include attacks based on software vulnerabilities that allow a
hacker to take control of the machine. Similarly, it is hard to fend off against social
engineering-based attacks. Can SSL be used alone with Web services, or are digital signatures or
some other secure authentication method required?
Again, it depends upon what exactly you are doing with Web services. If you are using Web services
 |
||||
|
|
|||
|
||||
just as a means for an interoperable and easy-to-deploy online interaction mechanism -- and, by the way, these are perfectly valid uses of Web services -- then it is perfectly OK to use SSL as the security solution.
On the other hand, if you have a workflow solution that uses Web services to move around
documents, and you need document-centric security, then you should be thinking about XML digital
signatures and XML encryption. Is SSL too bandwidth- or CPU-intensive for Web services? Do the
benefits justify the expense?
All cryptographic solutions, including SSL, have the reputation of being CPU intensive. However,
with Moore's Law
making sure that we get more and more computing power for the same dollars, the performance
overhead of SSL is less and less relevant. For a heavy load, one could always buy special hardware
accelerators, which again, are not very expensive.
Not many people realize that SSL allows negotiation of the key size for encryption and the cryptographic algorithms at runtime. So you can actually adjust the security level, and hence the computing power needs, to meet your application demands.
The increase in message size due to SSL is not very significant, and is rarely a concern. Does
SSL scale well enough for Web services transactions?
Yes. Unlike technologies like XML Digital Signature and XML Encryption that require the complete
message to be available, at times, as a DOM tree, SSL can work at the byte stream level, avoiding the need for extra
memory to hold the complete message. This also allows pipelining of processing. Additionally, the
SSL processing of messages for two different connections can happen completely in parallel. Are
there any emerging XML security technologies that can address Web services security requirements
that are not provided by SSL?
As I noted earlier, SSL does not provide message-level security. Also, SSL does not address the
problem of key management, secure assertions and access control. A number of technologies are being
developed to address these. XML Digital Signature and XML Encryption are already W3C
recommendation. WS-Security, which combines these for use in Web services, is now an OASIS
standard. SAML, addressing the need for secure assertions, and XACML, addressing access control,
are also now OASIS standards.
However, most of these standards are new, and it will be while before they get widely deployed.
How would an organization address the fact that SSL often lacks authentication for Web
services?
Well, if you use mutual-authentication feature of the SSL, then you do get client authentication. However, client-side authentication through SSL is not widely used due to the difficulty in managing client certificates. Some people address this by using HTTP-Basic or a token embedded in the XML message and then transmitting the message over HTTPS. This is great because SSL makes sure that sensitive information, such as account identification and password, is not transmitted in clear text over the Internet.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation