Why SSL is not the right option for web service security?

Security to web services is always not pretty straight forward…

This post primarily discusses the reasons why SSL (Secure Socket Layer) is not a best fit for ensuring web service security. SSL stands for Secure Socket Layer popularly works on Transport layer as HTTPS.

* Web services need end-to-end security, where as SSL provides point-to-point security. While passing through SSL the message has to pass through multiple intermediaries that might not have enough security protection policies enforced! These intermediaries might pose a threat in compromising the integrity, confidentiality of the message
* SSL doesn’t support non-repudiation. For definition of non-repudiation you may browse through on the net

* SSL provides security only over the transport layer but not at the message level
* If you want to encrypt Credit card information or sign a particular portion of the SOAP message then SSL is not the right option

More Here


Courtesy:http://dailyraaga.wordpress.com/