tags:

views:

53

answers:

1
+2  Q: 

Exposing a web service, Security concerns

Hi,

I created a webservice based on https which I am sharing with my friends. I am worried about the security of the webservice, because username and password will work if there are making the request from the server side. However, if I want to provide a widget like twitter, I am worried about having the authentication code in the html.

What are the industry best practices?

Regards Bala

+1  A: 

Review following

  • Client certificates - allows server to identify clients - this is most safe, approved standard way.
  • Some webservices uses approaches "Client certificates" but implements in native way. So you expose some method providing assymetric signature exchange. Where you exchange with client public parts of key. Calling all other method of service accepts session key, that is checked on client matching. (This session key also may be stored in cookies).
  • One time password - rather fast, your generate some salt and provide it for client in public way. Client must every time calculate hash from secret ID and this salt and use it as parameter to each method.
  • Google API/Yahoo API... uses unique string that identifies customer, of course it can be compromised, but for public services it is enough to identify problem to disable account.
Dewfy  2010-02-01 16:15:47
Can you please expand on the last point?
Algorist  2010-03-07 06:03:16
@Algorist for example you generate 256 char-length string that contains concatenation of coded or hashed: [user name], [issue date], and so on... so this string allows you identify user, that violates some rules of your web service usage. For example it tries DOS attack but he/she needs to identify itself. Compromising mean that that such ID can be stolen but you cannot know if user is authentic. So Google/Yahoo temporary froze this account until proclamation.
Dewfy  2010-03-07 18:21:04

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?