Thursday, February 6, 2014

Why WS-Security over HTTPS?

this is a very good and clear article that i have ever seen in my life related to the use of the WS-Security over HTTPS. i am just re-sharing the article for your reference. in order to give the credit for the original author, i am sharing the original sources as the reference here.

Source: - http://www.cloudidentity.com/blog/2005/04/25/END-TO-END-SECURITY-OR-WHY-YOU-SHOULDN-T-DRIVE-YOUR-MOTORCYCLE-NAKED/





So it goes like this. Suppose you are naked, and you have to drive your motorcycle to a certain destination.

In the (A) case you go through a transparent tunnel: your only hope of not being arrested for obscene behaviour is that nobody is looking. That is not exactly the most secure strategy you can come out with… (notice the sweat drop from the guy forehead :-)). That is equivalent to a POST in clear, and when I say “equivalent” I mean it.


In the (B) case, you are in a better situation. The tunnel is opaque, so as long as you travel into it your public record is safe. However, this is still not the best situation. You still have to leave home and reach the tunnel entrance, and once outside the tunnel probably you’ll have to get off and walk somewhere… and that goes for HTTPS. True, your message is safe while it crosses the biggest chasm: but once you delivered it on the other side you don’t really know how many stages it will have to go through before reaching the real point where the data will be processed. And of course all those stages could use something different than HTTP: a classical MSMQ which buffers requests which can’t be served right away, for example. What happens if somebody lurks your data while they are in that preprocessing limbo?


The complete solution (c) in this metaphor is painfully trivial: get some darn clothes on yourself, and especially the helmet while on the motorcycle!!! So you can safely go around without having to rely on opaqueness of the environments. The metaphor is hopefully clear: the clothes come with you regardless of the mean or the surrounding infrastructure, as the message level security does. Furthermore, you can decide to cover one part but reveal another (and you can do that on personal basis: airport security can get your jacket and shoes off, while your doctor may have a higher access level), but remember that short sleeves shirts are bad practice even if you are proud of your biceps :-) (better a polo, or a t-shirt).

I’m happy to say that she got the point! I have to say that the clothes metaphor is very powerful: I was tempted to use it for introducing the concept of policy (disco clubs won’t let you in sport shoes; you can’t go to withdraw money in a bank in your underwear, while this is perfectly acceptable look while balancing yourself on a surf; and so on) but I thought that for one afternoon it was enough


Thanks
Chathuranga

Source:- http://www.cloudidentity.com/blog/2005/04/25/END-TO-END-SECURITY-OR-WHY-YOU-SHOULDN-T-DRIVE-YOUR-MOTORCYCLE-NAKED/

No comments:

Post a Comment