5

I have a few web services that are accessed over public wifi connections and I think it would be a good idea to issue certificates to encrypt data, prevent MITM, and invalid impersonation (beyond what HTTPS provides).

Most of the client interaction I've seen with certificates involves a "fat client" and not so much with web sessions or javascript.

That being said,

  • What kind of standards should my javascript clients and web clients?

  • Will traditional clients be able to use the same web interface, or is a different standard appropriate (WS-*)?

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • I have not seen this implementation in a website. Won't each of your clients have to install the client certificate on their end in a secure way to make this happen? – schroeder Dec 19 '12 at 20:13
  • @schroeder Yes, a certificate would have to be installed (or generated). I'm staying out of the provisioning part of the question (how to give people their own cert) – makerofthings7 Dec 19 '12 at 20:26

1 Answers1

1

If you want to secure WS'es with fat client (standalone app, mobile app, other server) you can use WS-Security protocols suite. It's widely used in SOA's and other enterprise deployments. It provides strong auth, and some security and anti-replay solutions in standarized fasion.

But if you wan't to use JS the you would have to stick with authentication token and ssl. I guess.

damiankolasa
  • 347
  • 1
  • 6