Does WS-Security protocol require SSL - encryption

Does WS-Security protocol require SSL for encrypting messages and for authenticating clients using certificates, or is WS-Security protocol independent of SSL and thus it doesn't use SSL to perform the encryption and certificate authentication?
thank you

SSL (and newer TLS) is apparently an alternative to WS-Security so I doubt it to be the case that ws-security requires SSL. http://en.wikipedia.org/wiki/WS-Security#Transport_Layer_Security_.28Without_WS-Security.29

You can encrypt and sign with WS-Security. That said SSL is a much more understood protocol with a very low overhead. SSL/TLS is not computationally expensive any more
So you should consider using SSL first and WS-Security if needed. WS-Security is an option if you use authentication based on security token formats, such as SAML, Kerberos, or X.509.

Related

Possible to build Ocserv vpn project to use plain http

Is it possible to modify Ocserv on clients so that it runs on plain http instead of ssl and use a simple XOR or a custom encryption?
I know that it is insecure but in my case I don't care about security and TLS overhead (including handshaking time) and also SSL censorship are major concerns.

use BASIC authentication with client certificate authentication

Is it possible, in general, for a server to require both client certificate authentication and BASIC authentication?
For example, an intranet site of some sort, which requires :
The machine to have a specific certificate installed (client cert authentication), AND
A valid user to log in (basic authentication)
NOTE: this question isn't about a server supporting one or the other, but both together (as in the requester must authenticate both ways)
Yes, it is possible to have both. The client certificate will be verified during the TLS handshake while basic authentication will be done at the HTTP level, i.e. inside the TLS connection after the TLS handshake is done and the client certificate checked.

Is possible to use Auth0 server over HTTP intead of HTTPS?

Is possible to use Auth0 server over HTTP intead of HTTPS?
If yes, how to?
If not, why?
(I known the http is sniffeable)
It's not possible.
A secure transport layer is required on all of the communication flows used in the authorization protocols supported by Auth0: OAuth2, OIDC, SAML and WS-Federation. This is to ensure the security of items such as credentials, tokens, and personally identifiable information.
HTTPS is also required on mandatory for the administration Dashboard and every related service. Again, it wouldn't make sense to exchange information used to secure systems over an insecure protocol.

Difference between http and https authentication

In school we got one teacher who always asks question which look easy but they are not easy.
So, can anybody please tell me in a very accurate way whats the difference between http and https authentication?
HTTPS is HTTP inside a SSL/TLS tunnel.
Like a postcard (HTTP) in an envelop (SSL/TLS).
SSL/TLS has 3 main properties :
authentication of the server : a trusted authority has signed the certificate used by the server
confidentiality : only the client and the server can decrypt the data
integrity : the data cannot be modified during the transport without the receiver notice it.
Note: SSL/TLS can be used with a certificate not signed by a trusted authority (but the client will show a warning about that)
HTTP does not scramble the data to be transmitted. That's why there is a higher chance that transmitted information is available to hackers. It operates at TCP/IP level. It uses port 80 by default.
HTTPS is a short abbreviation of Hyper Text Transfer Protocol Secure. It is highly advanced and secure version of HTTP. It uses the port no. 443 for Data Communication. It allows the secure transactions by encrypting the entire communication with SSL. It is a combination of SSL/TLS protocol and HTTP. It provides encrypted and secure identification of a network server.
Limitations of HTTPS---
HTTPS protocol can't stop stealing confidential information from the pages cached on the browser.
SSL data can be encrypted only during transmission on the network. So it can't clear the text in the browser memory.
Fot HTTP the browser performs basic handshake with the server as per the rules of HTTP protocol. It does not validate the authenticity of the server. However for HTTPS the browser validates the authenticity of the server using the SSL certificate with the client. If the certificate is authentic then ssl keys are exchanged between browser and server and all messages are encrypted thus preventing a man in the middle attack. In http there is no ssl certificate and all data is sent in plain text which is vulnerable to man in the middle attack

https security features

What makes https more secure than http?
The short answer is that https communication between your browser and the server are encrypted. While http traffic is sent in plain text. This means that anyone who can listen to the traffic can read it - this would include usernames and passwords). It also verifies the server to which you are connecting.
That it is encrypted. Read: en.wikipedia.org/wiki/HTTP_Secure
Anything not over HTTPS can be read by anyone snooping on your network.
Im quoting:
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server.
More information on TLS:
The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.
Also, HTTPS verifies that the site is who it claims to be, if the certificates are correct (signed by a known CA).
All traffic is encrypted. No one on your network can see what is going on (except for knowing where those packets are going to).
The identity of the remote server can be verified using certificates. So you also know that it really is your bank that you are talking to.
Optionally (and not in wide-spread use), the identity of the client can also be verified using certificates. This would allow for secure login to a site using chip cards instead of (or in addition to) passwords.
I want to be really pedantic, as I'm a security nerd :)
HTTPS uses SSL, and it's IETF-ratified cousin, TLS. SSL/TLS can offer four security services:
1) server authentication
2) channel encryption
3) channel tamper detection
4) client authentication
Usually you'll get server auth for free, but only if the host name and the common name in the server's SSL/TLS certificate match. If they don't match your browser will warn you. You usually get the channel defenses for free too, but that's only because the server and client negotiate to require such defenses. In theory, but rarely in practice, a server and client could agree to not use one or more of the channel defenses.
Finally, client authentication is when the server wants you to present a certificate (actually, to prove you have an associated private key) to verify you are you. Client authentication is rarely used.

Resources