带有https WSDL的SOAP是否安全？

Question

I'm working on a project using PHP and SOAP to connect to a web service, and I have a question about security.

At a basic level, my code is as follows:

// Connect to web service
$client = new SoapClient( 'https://mywebservice.com:8443/whatever?wsdl' );

// Store the response after passing my values for that service
$response = $client->my_service( $my_args );

The SoapClient URL is over https, and is an address to a WSDL. It all functions fine - I'm able to return and post data back with no problems.

The website it will be used on is using SSL sitewide. My question is - is the above method secure for passing sensitive data back and forth if we're using https for the WSDL? Or should I be doing something extra with SOAP I'm not aware of?

I'm aware there's WS-Security, but is that needed if everything is over https?

Thanks

Answer 1

Answering security questions requires asking self what we are trying to protect, and what could attack vectors be.

In short HTTPS, from your requirements, is safe. This because you are asking whether SSL can securely protect an information the web server knows and wants to send to the back-end server. SSL is for that. You don't need to use additional WS-Security features. At least please validate server certificate.

This is safe as soon as all the website runs under SSL and you implement all common requirements for secure websites, including the HSTS header and refuse to serve HTTP requests. I am saying this because I assume that the sensitive data you may like to protect comes from the client.

Example 1

As an example, suppose a credit card payment system with a vulnerability.

• Client connects via HTTPS to web server and sends CC number. No one can see that
• Server pushes the card number to back-end via HTTPS. No one can see that
• Back end stores the credit card number plaintext in the database system

The answer will be: "OK, you are protecting communication between web server and backend, but beware that someone is interested at looking at the database". Imagine a SQL injection vulnerability on an HTTPS website capable of dumping credit cards database. This is not what HTTPS is for.

Example 2

Now let's examine another scenario where HTTPS is not enough. Basically, HTTPS protects end-to-end communications. Here is my requirement:

• The payment authorization must be permanently signed by the machine requesting for the payment and stored for future auditing in a third-party service

Clearly SSL won't solve this. Suppose your web service is part of a community and the back-end server talks with several web servers. SSL will protect and authenticate traffic between web and back end, however the back-end server can store arbitrarily valid SOAP messages claiming they come from your web server

You must sign the SOAP payload for that, and use WS-Security. The payload can be transferred to a third party auditing service, enveloped in an external SOAP message authenticated by the back-end service.

Example 3: let's make things complicated

Now let me alter your question. "How can I allow a client to send the web server a sensitive information that the server cannot read but the back-end can read?".

Here is, for example, when a POS machine (like the below photo, courtesy of Google Images) wants to send your web server a purchase order without revealing the CC number, that will be known only to the bank.

Sorry, I can't find a university work I did in the past years about this scenario because I had a slide about it.

Then SSL is not enough and you can use WS-Security to do the following:

• Client forms a SOAP message containing the card number that is encrypted with the back-end server key
• Client envelopes that SOAP message with a purchase order containing the items and sends it to your server, even via HTTP
• Web Server takes the purchase order and prepares the order
• Web Server takes the unreadable SOAP message encrypted for the bank and issues a payment order
• On successful payment, the order is delivered