Web Service, Web Application and HTTPS Questions
September 3, 2010 3:42 AM Subscribe
I'm putting together a publicly-available web service/application and have some security questions.
posted by syzygy to Computers & Internet (7 answers total) 2 users marked this as a favorite
I'm reasonably well-informed on topics like SQL-Injection and XSS, and I'm reading up on JSON and XML injection topics at the moment. As a software architect, I've dealt with these topics in the past.
Server security, however, is a different topic. That's always been handled by someone else on projects I've worked on in the past.
Now I'm setting up a web service that acts as a sort of broker between other, third-party web services, and I need to beef up on this area of my knowledge, as well. I'm researching the topic, but I have a question.
For the following example, myservice.com is my service and a.com and b.com are external services that my service will be communicating with, and that I'm using PHP curl to communicate with the external services.
Suppose that myservice.com does not have an ssl cert at the moment. I understand that anything submitted via a browser will be unencrypted and therefore subject to interception, but I'd like to know the following.
If myservice.com makes a curl GET to https://a.com, processes that data internally, then curl POSTs it to https://b.com, is myservice.com creating a security hole? Notice, the data will never be sent directly from myservice.com to anyone's browser.
I'm also interested in recommendations for certificate providers. I've read some of the posts regarding SSL on Ask, and most of them are pretty old. Would be great to get some updated recommendations.