Secure Web Services REST over HTTPS vs SOAP WS-Security Which is better

Question

I m not a security expert by any means  but I favor creating REST-style web services     In creating a new service which needs to have the data it transmits secure   We ve entered a debate over which approach is more secure - REST with HTTPS or a SOAP WS with WS-Security   I am under the impression we could use HTTPS for all the web service calls and this approach would be secure   The way I look at it is   if HTTPS is good enough for bank and financial web sites  it s good enough for me    Again  I m not expert in this space  but I d think that these people have thought considerably hard about this problem and are comfortable with HTTPS   A coworker disagrees and says SOAP and WS-Security is the only way to go   The web seems all over the board on this   Maybe the community here could weigh in on the pros and cons of each   Thanks

User · Answer

Brace yourself  here there s another coming  -    Today I had to explain to my girlfriend the difference between the expressive power of WS-Security as opposed to HTTPS  She s a computer scientist  so even if she doesn t know all the XML mumbo jumbo she understands  maybe better than me  what encryption or signature means  However I wanted a strong image  which could make her really understand what things are useful for  rather than how they are implemented  that came a bit later  she didn t escape it  -     So it goes like this  Suppose you are naked  and you have to drive your motorcycle to a certain destination  In the  A  case you go through a transparent tunnel  your only hope of not being arrested for obscene behaviour is that nobody is looking  That is not exactly the most secure strategy you can come out with     notice the sweat drop from the guy forehead  -    That is equivalent to a POST in clear  and when I say  equivalent  I mean it  In the  B  case  you are in a better situation  The tunnel is opaque  so as long as you travel into it your public record is safe  However  this is still not the best situation  You still have to leave home and reach the tunnel entrance  and once outside the tunnel probably you ll have to get off and walk somewhere    and that goes for HTTPS  True  your message is safe while it crosses the biggest chasm  but once you delivered it on the other side you don t really know how many stages it will have to go through before reaching the real point where the data will be processed  And of course all those stages could use something different than HTTP  a classical MSMQ which buffers requests which can t be served right away  for example  What happens if somebody lurks your data while they are in that preprocessing limbo  Hm   read this  hm  as the one uttered by Morpheus at the end of the sentence  do you think it s air you are breathing     The complete solution  c  in this metaphor is painfully trivial  get some darn clothes on yourself  and especially the helmet while on the motorcycle    So you can safely go around without having to rely on opaqueness of the environments  The metaphor is hopefully clear  the clothes come with you regardless of the mean or the surrounding infrastructure  as the messsage level security does  Furthermore  you can decide to cover one part but reveal another  and you can do that on personal basis  airport security can get your jacket and shoes off  while your doctor may have a higher access level   but remember that short sleeves shirts are bad practice even if you are proud of your biceps  -   better a polo  or a t-shirt    I m happy to say that she got the point  I have to say that the clothes metaphor is very powerful  I was tempted to use it for introducing the concept of policy  disco clubs won t let you in sport shoes  you can t go to withdraw money in a bank in your underwear  while this is perfectly acceptable look while balancing yourself on a surf  and so on  but I thought that for one afternoon it was enough  -   Architecture - WS  Wild Ideas  Courtesy   http   blogs msdn com b vbertocci archive 2005 04 25 end-to-end-security-or-why-you-shouldn-t-drive-your-motorcycle-naked aspx

User · Answer

REST Over HTTPS Should be a secure method as long as API provider implements authorization a server end  In a case of web application as well what we do is accessing a web application via HTTPS and some authentication authorization  traditionally web applications did not have security issues then Restful API would also counter security issues without problem

User · Answer

REST security is transport dependent while SOAP security is not   REST inherits security measures from the underlying transport while SOAP defines its own via WS-Security   When we talk about REST  over HTTP - all security measures applied HTTP are inherited and this is known as transport level security   Transport level security  secures your message only while its on the wire - as soon as it leaves the wire  the message is no more secured   But  with WS-Security  its message level security - even though the message leaves the transport channel it will be still protected  Also - with message level security you can partly encrypt the message  not the entire message  but only the parts you want  - but with transport level security you can t do it   WS-Security has measures for authentication  integrity  confidentiality and non-repudiation while SSL doesn t support non repudiation  with 2-legged OAuth it does    In performance-wise SSL is very much faster than WS-Security   Thanks

User · Answer

As you say  REST is good enough for banks so should be good enough for you   There are two main aspects to security  1  encryption and 2  identity   Transmitting in SSL HTTPS provides encryption over the wire  But you ll also need to make sure that both servers can confirm that they know who they are speaking to  This can be via SSL client certificates  shares secrets  etc   I m sure one could make the case that SOAP is  more secure  but probably not in any significant way  The nude motorcyclist analogy is cute but if accurate would imply that the whole internet is insecure

User · Answer

I work in this space every day so I want to summarize the good comments on this in an effort to close this out   SSL  HTTP s  is only one layer ensuring    The server being connected to presents a certificate proving its identity  though this can be spoofed through DNS poisoning   The communications layer is encrypted  no eavesdropping     WS-Security and related standards implementations use PKI that    Prove the identity of the client  Prove the message was not modified in-transit  MITM   Allows the server to authenticate authorize the client    The last point is important for service requests when the identity of the client  caller  is paramount to knowing IF they should be authorized to receive such data from the service  Standard SSL is one-way  server  authentication and does nothing to identify the client

User · Answer

If your RESTFul call sends XML Messages back and forth embedded in the Html Body of the HTTP request  you should be able to have all the benefits of WS-Security such as XML encryption  Cerificates  etc in your XML messages while using whatever security features are available from http such as SSL TLS encryption

User · Answer

Technically  the way you have it worded  neither is correct  because the SOAP method s communication isn t secure  and the REST method didn t say anything about authenticating legitimate users     HTTPS prevents attackers from eavesdropping on the communication between two systems   It also verifies that the host system  server  is actually the host system the user intends to access     WS-Security prevents unauthorized applications  users  from accessing the system      If a RESTful system has a way of authenticating users and a SOAP application with WS-Security is using HTTPS  then really both are secure   It s just a different way of presenting and accessing data

User · Answer

The answer actually depends on your specific requirements   For instance  do you need to protect your web messages or confidentiality is not required and all you need is to authenticate end parties and ensure message integrity  If this is the case - and it often is with web services - HTTPS is probably the wrong hammer   However - from my experience - do not overlook the complexity of the system you re building   Not only HTTPS is easier to deploy correctly  but an application that relies on the transport layer security is easier to debug  over plain HTTP    Good luck

User · Answer

I don t yet have the rep needed to add a comment or I would have just added this to Bell s answer   I think Bell did a very good job of summing up the top level pros and cons of the two approaches   Just a few other factors that you might want to consider   1  Do the requests between your clients and your service need to go through intermediaries that require access to the payload   If so then WS-Security might be a better fit   2  It is actually possible to use SSL to provide the server with assurance as to the clients identity using a feature called mutual authentication   However  this doesn t get much use outside of some very specialized scenarios due to the complexity of configuring it   So Bell is right that WS-Sec is a much better fit here   3  SSL in general can be a bit of a bear to setup and maintain  even in the simpler configuration  due largely to certificate management issues   Having someone who knows how to do this for your platform will be a big plus   4  If you might need to do some form of credential mapping or identity federation then WS-Sec might be worth the overhead   Not that you can t do this with REST  you just have less structure to help you   5  Getting all the WS-Security goop into the right places on the client side of things can be more of a pain than you would think it should   In the end though it really does depend on a lot of things we re not likely to know   For most situations I would say that either approach will be  secure enough  and so that shouldn t be the main deciding factor

User · Answer

See the wiki article   In point-to-point situations confidentiality and data integrity can also be enforced on Web services through the use of Transport Layer Security  TLS   for example  by sending messages over https  WS-Security however addresses the wider problem of maintaining integrity and confidentiality of messages until after a message was sent from the originating node  providing so called end to end security   That is   HTTPS is a transport layer  point-to-point  security mechanism WS-Security is an application layer  end-to-end  security mechanism

User · Answer

HTTPS secures the transmission of the message over the network and provides some assurance to the client about the identity of the server  This is what s important to your bank or online stock broker  Their interest in authenticating the client is not in the identity of the computer  but in your identity  So card numbers  user names  passwords etc  are used to authenticate you  Some precautions are then usually taken to ensure that submissions haven t been tampered with  but on the whole whatever happens over in the session is regarded as having been initiated by you   WS-Security offers confidentiality and integrity protection from the creation of the message to it s consumption  So instead of ensuring that the content of the communications can only be read by the right server it ensures that it can only be read by the right process on the server  Instead of assuming that all the communications in the securely initiated session are from the authenticated user each one has to be signed   There s an amusing explanation involving naked motorcyclists here   https   docs microsoft com archive blogs vbertocci end-to-end-security-or-why-you-shouldnt-drive-your-motorcycle-naked  So WS-Security offers more protection than HTTPS would  and SOAP offers a richer API than REST  My opinion is that unless you really need the additional features or protection you should skip the overhead of SOAP and WS-Security  I know it s a bit of a cop-out but the decisions about how much protection is actually justified  not just what would be cool to build  need to be made by those who know the problem intimately

[web-services] Secure Web Services: REST over HTTPS vs SOAP + WS-Security. Which is better?

Examples related to web-services

Examples related to security

Examples related to rest

Examples related to soap