Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle

From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
Date: Wed, 18 Oct 2006 07:59:38 GMT

Hi John,

If you only applied SSL/https as the transport channel and not use message
layer security feature in WSE, WSE will certainly send out the soap message
(include username/password credentials) in clearText format. However, I
think SSL/HTTPS should be strong enough for secure the mesages transfering
over the transport layer. If your concern is that some malicious one else
may redirect the request to a fake server with SSL/certificates, then you
can add codelogic in your client application to valiate the server
certificate exposed from the SSL/HTTPS server. The ServicePointManager
class in .net framework provide ServerCertificateValidationCallback event
that can let us add custom code logic to verify the server (which provide
the SSL/HTTPS service channel). And this event will occur at the initial
time when your webservice (or other webclient) which connect to HTTPS/SSL
server through .net webrequest components:

#ServicePointManager.ServerCertificateValidationCallback Property
http://msdn2.microsoft.com/en-us/library/system.net.servicepointmanager.serv
ercertificatevalidationcallback.aspx

#RemoteCertificateValidationCallback Delegate
http://msdn2.microsoft.com/en-us/library/system.net.security.remotecertifica
tevalidationcallback.aspx

Anyway, I also think that you can choose either
SSL/HTTPS(UsernameOverTransport) or message layer
security(UsernameOverCertificate), use both of them may be a bit redundant.

Please feel free to post here if you have any other concerns or ideas on
this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no rights.

.

References:
- Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
  - From: Dominick Baier

Prev by Date: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
Next by Date: EnvelopedCMS and MailMessage [.NET 2.0 - VB_VS2005]
Previous by thread: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
Next by thread: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
Index(es):
- Date
- Thread

Relevant Pages

Re: Why Ping does not Work
... nor can I ping my server here in Richmond from ... I can ping my home computer ... the rest of the internet. ... layer produces complete protection. ...
(microsoft.public.windowsxp.network_web)
Re: [fw-wiz] separating the servers on a switch
... > We want to control which server can talk to which other server (in the ... > segment), utilizing one of the firewalls. ... layer 2 connection. ... Static ARP tables: ARP only the routers/firewalls and the devices each ...
(Firewall-Wizards)
Re: Front End or Backend - Where to put what?
... Unless you are using SQL Server, DB2 or Oracle you can forget your three ... If you are using Jet then _just_ get the design of the database right (and ... depending on the business and the way that business handles the data. ... > on my part is the tiered approach of 'Data Layer, ...
(microsoft.public.access.tablesdbdesign)
Re: Stratification Style Web Design
... call this the presentation layer.) ... running on an app server, ... position: absolute; ... As the links are pulled in from an external file, if you had say 2,000 pages, you can modify that one file and the whole site is done. ...
(alt.2600)
Re: Stratification Style Web Design
... call this the presentation layer.) ... running on an app server, ... position: absolute; ... As the links are pulled in from an external file, if you had say 2,000 pages, you can modify that one file and the whole site is done. ...
(alt.2600)