Last post Dec 01, 2016 03:37 PM by PatriceSc
Nov 30, 2016 09:20 AM|sudip_inn|LINK
when we develop web api project then we can use basic auth and bind ssl certificate web api project in IIS. when we use ssl certificate then we think transport layer becomes secured but what about client side security ?
suppose a windows client may call web api action using http client and pass sensitive data from client side to web api service end. web api use https/ssl but client is not using any certificate then tell me how data will travel from client side to service
side ? does the data will travel secured way from client side to service side if client does not use certificate ?
so tell me what steps we need to follow to pass data securely from client side to service side and vice versa. please share the knowledge. thanks
Nov 30, 2016 09:39 AM|PatriceSc|LINK
Yes you don't need a client side certificate. See https://en.wikipedia.org/wiki/Transport_Layer_Security#Description and maybe https://en.wikipedia.org/wiki/Mutual_authentication (a
client side certificate would authenticate the client machine).
BTW you can also use https://www.ssllabs.com/ to test your server or client configuration (for example you still negotiate an encryption level and you may want to ensure a minimum level of encryption).
Nov 30, 2016 11:14 AM|sudip_inn|LINK
you said :Yes you don't need a client side certificate.
server is using ssl certificate so when client windows apps consume web api and call the action then how automatically data will be passed securely from client side to server side ?
there is two way we can call web api action that suppose i have web application and from there by jquery we can call web api action. i know that browser can understand certificate but when we call web api action from win client then how win client can understand
the certificate and pass data securely ?
any way exist to see data is passing securely from my win client to server by tool like fiddler ? please share your idea like how to be sure to see that data is passing securely back and forth between client and server or vice versa. thanks
Nov 30, 2016 01:19 PM|PatriceSc|LINK
It's not just about "understanding the certificate". They negociate a way to encrypt data (in a secure way) and then they are using this encryption when talking to each other.
Yes a tool such as Fiddler should allow to compare what happens with clear text request/response and encrypted request/response.Of course as you have access to the local system you can still configure Fiddler to act as a "man in the middle" and decrypt the
traffic but of course if the bad guy has full access to your own PC you are already in big troubles.
Dec 01, 2016 10:05 AM|gfw|LINK
>>suppose a windows client may call web api action using http client and pass sensitive data from client side to web api service end.
Question... Why not just force the SSL connection from the client side by not accepting the non-SSL request?
Dec 01, 2016 02:56 PM|sudip_inn|LINK
Sorry still not clear few things. you said : server is using ssl certificate so when client windows apps consume web api and call the action then how automatically data will be passed securely from client side to server side ?
server is using ssl certificate but 3rd party user using windows client they are not using ssl certificate. so how windows client will understand that it has to send data securely?
please clear this confusion.
again you said : Yes a tool such as Fiddler should allow to compare what happens with clear text request/response and encrypted request/response.Of course as you have access to the local system you can still configure Fiddler to act as a "man in the middle"
and decrypt the traffic
when data travel securely using certificate then at all user can see data is traveling in encrypted way by using fiddler ?
one guy say said data encryption done at OS level before going out so he said when we inspect request and response by fiddler then we will see data is not encrypted and we can read data. is it true ?
how can i provide it at my end. i can use fiddler to inspect data just to see is it encrypted or not. so guide me how to inspect data ?
please clear this 2 points. thanks
Dec 01, 2016 03:37 PM|PatriceSc|LINK
Using https://yourserver rather than
http://yourserver triggers this encryption negotiation. Then of course you prevent the use of http. Some are doing a redirection from http to https with rewriting rules but my personal preference is really to
check "require SSL" on the server side and to handle the redirection by customizing the action for a "SSL required" error).
The encryption happens over the wire. Just using Fiddler will show the difference. Still you can configure Fiddler to intercept the https traffic but this is because you have access to the local machine and can manually trust the certificate Fiddler is using
to do that (ie its like if the bad guy already had access to your machine anyway).
If you don't have access to at least one side (and of course don't have the certificate) decrypting the traffic should be then significantly more difficult than checking a box and trusting a certificate on the source machine.