.NET Form Client Connection to .Net Web Service via SSL

[JeffreyT]

Hi Experts,

I consider myself an advanced .NET developer but I am new to SSL. My
question is both simple and perhaps foolish.

I have a .NET Form client consuming a .NET WS via an https request.
I've setup a server-side certificate through a Certificate Authority.

I am using ICertificatePolicy, in my client code, to override the
validation of the server certificate. Hence, by default I think I am
telling the client app to just go ahead and assume the server-side
certificate is valid.

My questions are the following:
1) How do I know if the communication channel is "truely" secure? Is
my data really being encrypted?
2) Do I really not need a client-side certificate to use SSL for client
to server communication in my windows form app?

 

[CESAR DE LA TORRE [MVP]]

If you are using SSL with a 128-bit Server Certificate, it is quite secure.
Its encription would be very difficult to break. BUT, DO NOT use a 64-bit
Server Certificate, it is not very secure.
About the other question, If you want to make sure about encryption, you can
use any Sniffer to take a look to the Traffic, so you'll see it is encrypted.
Anyway, if your URL is 'HTTPS', it is being encrypting, for sure. ;-). You
cannot use HTTPS without encrypting.

For SSL Communication (SSL provides just end to end encryption) you only
need a Server Certificate, you don't need any Client Certificate. Client
Certicates are for AUTHENTICATION and DIGITAL-SIGNING, not for encrypting.
Also. you could authenticate either with Client-Certificates or any other
credentials, like "user-password", Windows-Integrated.
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

 

[CESAR DE LA TORRE [MVP]]

BTW, about security using WebServices (Encrypt, Sign, Auth, etc.), the best
way you can control everything, AT MESSAGE SOAP LEVEL (instead at protocol
level like SSL), is using WS-Security specifications (part of WS-*
specifications).

Microsoft WS-* specifications are being implemented by Microsoft in the
following ways:

- WSE 2.0 SP2 ("Web Services Enhancements" - Current release version
http://www.microsoft.com/downloads/...C5-821F-41D3-A4FE-6C7B56423841&displaylang=en

- WSE 3.0 Beta ("Web Services Enhancements" - Next version
http://www.microsoft.com/downloads/...9A-D107-4F19-B8E7-B01DA67A5C02&displaylang=en

- WCF (Windows-Communication-Foundation, codename "INDIGO"). This is the
future in communications over Windows Platform (Windows Vista and Windows
Longhorn Server)
http://www.microsoft.com/downloads/...468-5807-4ff7-a363-ce6fe69b8f04&displaylang=e
http://www.microsoft.com/downloads/...4C-CCBD-452F-9D90-F4B7190CCA24&displaylang=en
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

If you are using SSL with a 128-bit Server Certificate, it is quite secure.
Its encription would be very difficult to break. BUT, DO NOT use a 64-bit
Server Certificate, it is not very secure.
About the other question, If you want to make sure about encryption, you can
use any Sniffer to take a look to the Traffic, so you'll see it is encrypted.
Anyway, if your URL is 'HTTPS', it is being encrypting, for sure. ;-). You
cannot use HTTPS without encrypting.

For SSL Communication (SSL provides just end to end encryption) you only
need a Server Certificate, you don't need any Client Certificate. Client
Certicates are for AUTHENTICATION and DIGITAL-SIGNING, not for encrypting.
Also. you could authenticate either with Client-Certificates or any other
credentials, like "user-password", Windows-Integrated.
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

Hi Experts,

I consider myself an advanced .NET developer but I am new to SSL. My
question is both simple and perhaps foolish.

I have a .NET Form client consuming a .NET WS via an https request.
I've setup a server-side certificate through a Certificate Authority.

I am using ICertificatePolicy, in my client code, to override the
validation of the server certificate. Hence, by default I think I am
telling the client app to just go ahead and assume the server-side
certificate is valid.

My questions are the following:
1) How do I know if the communication channel is "truely" secure? Is
my data really being encrypted?
2) Do I really not need a client-side certificate to use SSL for client
to server communication in my windows form app?