Dela via

End to End security, or why you shouldn't drive your motorcycle naked

  • Artikel

Brace yourself, here there's another coming :-)

Today I had to explain to my girlfriend the difference between the expressive power of WS-Security as opposed to HTTPS. She's a computer scientist, so even if she doesn't know all the XML mumbo jumbo she understands (maybe better than me) what encryption or signature means. However I wanted a strong image, which could make her really understand what things are useful for, rather than how they are implemented (that came a bit later, she didn't escape it :-)).

So it goes like this. Suppose you are naked, and you have to drive your motorcycle to a certain destination.
In the (A) case you go through a transparent tunnel: your only hope of not being arrested for obscene behaviour is that nobody is looking. That is not exactly the most secure strategy you can come out with... (notice the sweat drop from the guy forehead :-)). That is equivalent to a POST in clear, and when I say "equivalent" I mean it.
In the (B) case, you are in a better situation. The tunnel is opaque, so as long as you travel into it your public record is safe. However, this is still not the best situation. You still have to leave home and reach the tunnel entrance, and once outside the tunnel probably you'll have to get off and walk somewhere... and that goes for HTTPS. True, your message is safe while it crosses the biggest chasm: but once you delivered it on the other side you don't really know how many stages it will have to go through before reaching the real point where the data will be processed. And of course all those stages could use something different than HTTP: a classical MSMQ which buffers requests which can't be served right away, for example. What happens if somebody lurks your data while they are in that preprocessing limbo? Hm. (read this "hm" as the one uttered by Morpheus at the end of the sentence "do you think it's air you are breathing?").
The complete solution (c) in this metaphor is painfully trivial: get some darn clothes on yourself, and especially the helmet while on the motorcycle!!! So you can safely go around without having to rely on opaqueness of the environments. The metaphor is hopefully clear: the clothes come with you regardless of the mean or the surrounding infrastructure, as the messsage level security does. Furthermore, you can decide to cover one part but reveal another (and you can do that on personal basis: airport security can get your jacket and shoes off, while your doctor may have a higher access level), but remember that short sleeves shirts are bad practice even if you are proud of your biceps :-) (better a polo, or a t-shirt).

I'm happy to say that she got the point! I have to say that the clothes metaphor is very powerful: I was tempted to use it for introducing the concept of policy (disco clubs won't let you in sport shoes; you can't go to withdraw money in a bank in your underwear, while this is perfectly acceptable look while balancing yourself on a surf; and so on) but I thought that for one afternoon it was enough ;-)

Comments

  • Anonymous
    April 25, 2005
    Analogy from End-to-End security to simple to understand example (riding motorcycle).

  • Anonymous
    April 25, 2005
    Analogy from End-to-End security to simple to understand example (riding motorcycle).

  • Anonymous
    April 27, 2005
    Wonderful!
    You've got the power!

  • Anonymous
    September 24, 2007
    In short: I discuss a new feature, introduced by the .NET framework 3.5 and by a (future) update of IE,

  • Anonymous
    April 27, 2010
    Simple but Great Explanation! 100% Realization achieved.

  • Anonymous
    December 01, 2010
    The comment has been removed

  • Anonymous
    February 09, 2011
    It's a great explanation.  But does it follow that if I'm using SOAP services, I should ALWAYS use WS-Security?  It seems to me that if my trading partners are simply requesting, say, account information in a straightforward request/response exchange, there's really no reason TLS wouldn't do the trick.

  • Anonymous
    February 09, 2011
    Hi Stephen, it's always a matter of deciding what's best for your specific scenario: if your requirements are satisfied by transport-based security, by all means stick with it!

  • Anonymous
    February 09, 2011
    Hi Pavan, note that the above is not specific to REST or SOAP... it's more transport vs message security. For rest please take a look at OAuth2.0. have fun :-)