tags:

views:

58

answers:

2
+1  Q: 

Do I need an SSL certificate if using a secure webservice?

Hi,

I'm using a third party web service. In order for my users to be able to access their third party account, they need to log in. I provide the interface for them to log in to the third party site from my site. My question is, do I need a SSL certificate if the webservice already provides one? The webservice has a special Login method, which uses the https protocol. Does this mean that I don't need one for my site, or will I have to purchase a SSL certificate for my site?

Thanks

+1  A: 

I think you need to explain a bit more about what you are doing.

Are you using iframes or redirects so that the third party site can do the authentication? If so, then you're probably fine and don't need your own certificate.

If, on the other hand, the user is making HTTP requests to your site that contain their credentials then you've got a problem. Technically speaking, you don't need to use SSL for this, but it's kind of bad behavior. If you're going to accept user credentials for some third party you should at least try to match the third-party's level of security.

Laurence Gonsalves  2010-02-06 02:08:26
The user enters the information to my server, which then calls the third party method. I'm guessing this means that an SSL certificate is needed since the initial transaction is to my server. Might be an obvious question, but is there another way of directly calling a web service, without the data being sent to my server first? Or is that a service that has be provided by the third party? Thanks
keyboardP  2010-02-06 18:51:30
There are ways to have the client authenticate directly with the third-party, but they generally require that the third-party have support for this. (Unless the third-party has an XSRF vulnerability, but you don't really want to rely on that...) It sounds like what you want is OAuth (http://oauth.net/) but that isn't much use to you unless the third-party service you're using has support for it. (A number of services, like Flickr and Google Calendar, have OAuth-like schemes that I believe predate OAuth.)
Laurence Gonsalves  2010-02-07 00:07:03
Thank you for the explanation (and answer!), Laurence.
keyboardP  2010-02-07 01:07:45
A: 

Because your users log in through your site and will provide their credentials to your web application, you should attempt to protect them as well as you can. So you should enable SSL on your site and get a certificate.

That said, if you don't care about security, then it would also work without an SSL/certificate.

huynhjl  2010-02-06 02:44:11

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?