tags:

views:

234

answers:

3
Q: 

Communication between web applications, 1 SSL certificate, other has none

This the situation: I have one webservice without SSL, which provides two pages for the other web application. When the user submits these pages, an XML file with private information is sent to the webservice.

How can I provide the necessary privacy protection on the XML file? Is the one certificate good enough to give the appropriate security?

I'm not sure about this one, and am in the preparation phase of a project... So need to know the involved work on this part...

A: 

Certificates are tied to the hostname of the server (or, with wildcard certificates, all the hosts in a domain). So if the two services are on the same host, then both can use the same certificate.

If they are not on the same host there will be no transport security on the non-SSL service unless this is added separately. WCF has support for message (or part of message) encryption.

Richard  2009-04-07 12:38:26
Hmmmm, thanks for the answer. Unfortunately I have to use .NET 2.0 according to company guidelines. But I could use System.Security.Cryptograpy..
Rickjaah  2009-04-07 12:52:29
Given .NET 3 and 3.5 are .NET with extra libraries/compilers but the same runtime worth chipping away at "blocking for the sake of it" (especially if you can say: would have an easy solution to this problem). Given the limitation: offer price for second certificate.
Richard  2009-04-07 13:17:22
A: 

As an alternative to SSL you could encrypt the file yourself using any of the algorithms available in using System.Security.Cryptography but then you have to work out a mechanism to exchange your key(s).

However by far the easiest way will be to have both web services using SSL endpoints. That will take care of all your confidentiality, integrity and identity considerations in one fell swoop.

sipwiz  2009-04-07 12:39:07
Hmmm, I guess your right about the SSL endpoints, but these cost money for commercial company's right? Because then I would have to ask if they want to invest in this.
Rickjaah  2009-04-07 12:54:19
Yes they do but at around USD100 or so a pop they are pretty cheap when you consider the development time you'd need to put in for an alternative. You can also create self signed certificates for free using makecert or openssl. In that case you need to trust each other's certificate.
sipwiz  2009-04-07 13:12:47
A: 

The simplest solution is certainly to use TLS, ex-SSL (widely supported in every programming language).

There is no need to buy a certificate (and it brings no extra security, it is mostly there to make PHBs feel better): either create self-signed certificates or set up your own CA.

bortzmeyer  2009-04-10 07:39:01

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?