• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Does HTTPS secure through different firewalls (hops) ?

 
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

While i've been implementing web services, with regard to security - I've a dilemma between WS-Security and HTTPS(SSL with PKI).
I know that HTPPS provides point-point security and if we've any intermediaries it'll expose the data at those points. But in our case we don't have any intermediaries.
My question here is whether HTTPS provides security if the data is flowing through different firewalls and hops via internet. Is it creates a new session between each hop thus exposing the data at those points? What is a point-point mean,is it between different hops?

If it doesn't provide then we'll go to WS-Security other wise we just don't want to add any overhead to our clients to use WS-Sec.

Please let me know your thoughts.

Thanks,
 
Ranch Hand
Posts: 1183
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Raj,

WS-Security vs. SSL says under 'SSL Provides In-Transit Security Only' -

.... you'll begin to realize that the request is only encrypted while it is travelling between the client and the server. Once it hits the server, it is decrypted from that moment on.

To be completely accurately, it might not even need to hit the server to be decrypted. If, for example, you have a proxy server in front of you web server, it is possible that the decryption certificate has been installed there. That way the server can examine the message to determine the correct routing. However, the message may not be re-encrypted before it is set to the web server that will actually handle the request. So now that 'secure' request is travelling along a network in clear text. Granted, the network that is travels along is quite likely the internal one for the company hosting the server. Still, there is the possibility that sensitive data can be picked up.



Regards,
Dan
 
Raj Menon
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Dan.

I think the article you mentioned did not talk about any network/firewall hops.
It is saying that from server to server it is encrypted and the moment it hits the server whether it be a proxy server or real back end server, it'll be decrypted - With this i don't have any problem because our internal network is secured and i don't worry about that.

My question revolves around the network/firewall hops via internet.
Suppose if we tracert to any public HTTPS web service url, it goes via different hops of internet provider. So does HTTPS keeps the data encrypted all along those hops or it creates a session from one hop to second hop, creates another session from second hop to third hop thus exposing the unencrypted data at those hops.

Hope i'm clear in my question.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic