none
SSL security : end to end vs point to point security RRS feed

  • Question

  • Dear WCF experts.

    I don't understand why SSL is said to be point to point secure, but end to end insecure.
    Why does it matter if there are intermediates if only the 2 ends do their handshake ?
    How is that different from message security ?

    Also, another newbie question. Very simple. Why do we need a transport layer ? Can't applications communicate direction with the message layer ?

    A confused man

    Wednesday, September 10, 2008 11:57 PM

All replies

  • Hi,

     

    1) Typically, SSL operates at the transport level, so the "secure channel" is created between the two-endpoints of the transport connections and not between the message source and the message final destination.

     

    MessageSource <--[Secure Channel (e.g. SSL)]--> Intermediary <--[Secure Channel (e.g. SSL)]--> FinalRecipient

     

    2) You need a transport layer (HTTP, TCP, pipes, MSMQ, ...) to transport the messages.

     

    HTH

    Pedro Felix

    Thursday, September 11, 2008 10:09 AM
    Moderator
  • This is also a question I have....However, the answer is unclear.

     

    Are these transport level secure channel Intermediaries...

    Other devices on the internet?

    Other parts of WCF?

    My LAN's gateway when communicating outside of it?

     

    In particular...

    When I used SSL, as in https://, to perform online banking, how secure is it?

    What intermediaries are involve and how exposed are my transactions?

     

    Thanks.

     

    Another Newbie.

    Thursday, October 2, 2008 6:29 PM
  • Hi,

     

    SSL tipically operates over TCP. So, any network element that operates below the TCP level does not have access to the contents transmitted over SSL. This also includes HTTP proxies that tunnel the SSL traffic.

     

    However, there might be network elements that operate above TCP (e.g. a SOAP router), that need to access parts of a SOAP message. This what I meant by "intermediaries"

     

    Consider the scenario where a SOAP router must look inside a SOAP message (e.g. to find the final destination) but may not change its contents. Transport level security does not provides this level of protection.

     

    HTH

    Pedro Félix

     

    Thursday, October 2, 2008 10:23 PM
    Moderator
  • Thanks Pedro.

    It is a bit clearer now.
    So if we set up http proxies that tunnel communications, SSL is end to end secure.
    I mean, that's no different from message security. There might be network elements that need to perform above SOAP (why not, even if not standard). In that case, SOAP is not end to end secure !



    Thursday, October 2, 2008 11:52 PM