Advertisement
Promo

Security management Toolkit

Keeping hackers out of your Web services

David Burgett Builder.com

Published: 14 May 2002 13:09 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

SSL provides secure communications with both minimal development time and transparent usage. Because SSL encrypts all communication on the client machine, hackers intercepting Web service calls will only be able to see the encrypted message, protecting the secrecy of your method names and parameter definitions.

Nevertheless, there are some potential pitfalls to consider before depending on SSL alone to protect your Web services. There is the cost associated with purchasing a digital certificate and service from a Certification Authority. This cost can be as high as $1,000, depending on the Certification Authority and encryption strength of the certificate purchased.

Furthermore, despite the cost, the strength of the certificate purchased does not necessarily determine the strength of the encryption used for each transaction. Most browsers support full 128-bit encryption. However, due to export laws, these same browsers must also provide a weaker, 40-bit encryption version. The number of bits used to encrypt the message determines the difficulty in breaking the encryption. Even if you purchase a 128-bit certificate for your Web server, if a client browser (or other application) only supports 40-bit encryption, the messages will be automatically encrypted with the weaker protection.

Another concern is the ability of hackers to break the encryption. A hacker can easily obtain the public portion of your SSL key by simply accessing a secure Web service and analysing the traffic passed between the client and server. With the public key, it is possible to determine the private key, which would allow the hacker to decrypt all traffic hitting your Web service. This is a difficult process and not easily available to every would-be high school hacker, but if your Web services offer great-enough rewards, such as money transfers or stock purchases, it is well within the realm of possibility.

Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
14 out of 28 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security management


Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Official Organizations Losing Data

How does this article from earlier today make you feel? How many more government, health service, or military officials are going to lose pen drives, DVDs, USB hard disks and even entire... More

2 comments

Twitter hack was DNS redirect

Twitter has said an attack on Thursday which took the site offline for many users was the result of a DNS redirect. A group calling itself the Iranian Cyber Army redirected users... More

1 comment

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Win a Teufel Cinebar 50 system

Win a Teufel Cinebar 50 system

What is ZDNet UK's usual tagline?

Competition closes - 14 Jan 2010


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters