Secure Web Services: REST over HTTPS vs SOAP + WS-Security. Which is better?

web-services security rest soap
Vinnie picture Vinnie · May 12, 2009 · Viewed 224.1k times · Source

I'm not a security expert by any means, but I favor creating REST-style web services.

In creating a new service which needs to have the data it transmits secure. We've entered a debate over which approach is more secure - REST with HTTPS or a SOAP WS with WS-Security.

I am under the impression we could use HTTPS for all the web service calls and this approach would be secure. The way I look at it is, "if HTTPS is good enough for bank and financial web sites, it's good enough for me". Again, I'm not expert in this space, but I'd think that these people have thought considerably hard about this problem and are comfortable with HTTPS.

A coworker disagrees and says SOAP and WS-Security is the only way to go.

The web seems all over the board on this.

Maybe the community here could weigh in on the pros and cons of each? Thanks!

Answer

Bell picture Bell · May 12, 2009

HTTPS secures the transmission of the message over the network and provides some assurance to the client about the identity of the server. This is what's important to your bank or online stock broker. Their interest in authenticating the client is not in the identity of the computer, but in your identity. So card numbers, user names, passwords etc. are used to authenticate you. Some precautions are then usually taken to ensure that submissions haven't been tampered with, but on the whole whatever happens over in the session is regarded as having been initiated by you.

WS-Security offers confidentiality and integrity protection from the creation of the message to it's consumption. So instead of ensuring that the content of the communications can only be read by the right server it ensures that it can only be read by the right process on the server. Instead of assuming that all the communications in the securely initiated session are from the authenticated user each one has to be signed.

There's an amusing explanation involving naked motorcyclists here:

https://docs.microsoft.com/archive/blogs/vbertocci/end-to-end-security-or-why-you-shouldnt-drive-your-motorcycle-naked

So WS-Security offers more protection than HTTPS would, and SOAP offers a richer API than REST. My opinion is that unless you really need the additional features or protection you should skip the overhead of SOAP and WS-Security. I know it's a bit of a cop-out but the decisions about how much protection is actually justified (not just what would be cool to build) need to be made by those who know the problem intimately.

Related questions

How to secure RESTful web services?

I have to implement secure RESTful web services. I already did some research using Google but I'm stuck. Options: TLS (HTTPS) + HTTP Basic (pc1oad1etter) HTTP Digest two-legged OAuth a Cookie-based approach client certificates (Tom Ritter and here) Signed …

Read More
Securing REST API without reinventing the wheel

When designing REST API is it common to authenticate a user first? The typical use case I am looking for is: User wants to get data. Sure cool we like to share! Get a public API key and read away! …

Read More
Where to save a JWT in a browser-based application and how to use it

I'm trying to implement JWT in my authentication system and I have a few questions. To store the token, I could use cookies but it's also possible to use localStorage or sessionStorage. Which would be the best choice? I have …

Read More