This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Does HTTPS secure through different firewalls (hops) ?  RSS feed

 
Raj Menon
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

While i've been implementing web services, with regard to security - I've a dilemma between WS-Security and HTTPS(SSL with PKI).
I know that HTPPS provides point-point security and if we've any intermediaries it'll expose the data at those points. But in our case we don't have any intermediaries.
My question here is whether HTTPS provides security if the data is flowing through different firewalls and hops via internet. Is it creates a new session between each hop thus exposing the data at those points? What is a point-point mean,is it between different hops?

If it doesn't provide then we'll go to WS-Security other wise we just don't want to add any overhead to our clients to use WS-Sec.

Please let me know your thoughts.

Thanks,
 
Dan Drillich
Ranch Hand
Posts: 1183
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Raj,

WS-Security vs. SSL says under 'SSL Provides In-Transit Security Only' -

.... you'll begin to realize that the request is only encrypted while it is travelling between the client and the server. Once it hits the server, it is decrypted from that moment on.

To be completely accurately, it might not even need to hit the server to be decrypted. If, for example, you have a proxy server in front of you web server, it is possible that the decryption certificate has been installed there. That way the server can examine the message to determine the correct routing. However, the message may not be re-encrypted before it is set to the web server that will actually handle the request. So now that 'secure' request is travelling along a network in clear text. Granted, the network that is travels along is quite likely the internal one for the company hosting the server. Still, there is the possibility that sensitive data can be picked up.



Regards,
Dan
 
Raj Menon
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Dan.

I think the article you mentioned did not talk about any network/firewall hops.
It is saying that from server to server it is encrypted and the moment it hits the server whether it be a proxy server or real back end server, it'll be decrypted - With this i don't have any problem because our internal network is secured and i don't worry about that.

My question revolves around the network/firewall hops via internet.
Suppose if we tracert to any public HTTPS web service url, it goes via different hops of internet provider. So does HTTPS keeps the data encrypted all along those hops or it creates a session from one hop to second hop, creates another session from second hop to third hop thus exposing the unencrypted data at those hops.

Hope i'm clear in my question.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!