Re: SSL Encryption
From: Shao-Ju Chao (Bruce) (bruce.chao_at_ncmail.net)
Date: 07/18/03
- Next message: Alun Jones [MS MVP]: "Re: SSL on FTP"
- Previous message: confused: "Q247603 - 401.3 Unauthorized Due to ACL on Resource"
- In reply to: Alun Jones [MS MVP]: "Re: SSL Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jul 2003 09:40:18 -0400
This question was asked because we're considering a web service scenario. In a
normal web browsering experience, user goes to the secure sign on screen first
(the first request), and then submit his/her credentials (the second request) --
so as long as the credentials are submitted when the "golden key" is there, we
consider it secure.
But in a web service scenario, we want the users to submit their credentials in
their first request (that is, no signon screen and directly pass the credentials
to the program that authenticate users). Alun, from what you said, it seems that
as long as the client uses "https", then ALL communications between client &
server are encrypted.
Another question: if you are right, why am I hearing people say that there is not
yet a standard for web service security? Isn't Web Services Over SSL a perfect
solution? What do the vondors still develop their own security solutions? (for
example, MS, IBM, Sun etc.)
"Alun Jones [MS MVP]" wrote:
> In article <3F16908F.60266A10@ncmail.net>, "Shao-Ju Chao (Bruce)"
> <bruce.chao@ncmail.net> wrote:
> >So are you saying, either I use GET or POST, it is not safe for the client to
> >send credentials to the secure server BEFORE the secure channel is there? The
> >channel is secure only when secure server responds to the client, right?
>
> You're essentially never going to get the chance, if you ask for an HTTPS
> connection, to get into that situation. The HTTPS connection starts with
> the client connecting to the server on port 443. Then the client sends a
> "ClientHello", which basically says "let's start talking encrypted". The
> server responds, they exchange keys, and then start talking encrypted. At
> this point, your action comes in.
>
> So, as long as you use https, as soon as you specify an https connection,
> all traffic that _you_ can put on that connection will be encrypted, and the
> same goes for the server.
>
> I could go into a more technical description of the whole thing, but the
> point is that an https transaction involves encryption from as early as
> possible right to the end.
>
> Alun.
> ~~~~
>
> [Please don't email posters, if a Usenet response is appropriate.]
> --
> Texas Imperial Software | Find us at http://www.wftpd.com or email
> 1602 Harvest Moon Place | alun@texis.com.
> Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
- Next message: Alun Jones [MS MVP]: "Re: SSL on FTP"
- Previous message: confused: "Q247603 - 401.3 Unauthorized Due to ACL on Resource"
- In reply to: Alun Jones [MS MVP]: "Re: SSL Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
