0

I am designing an XML over https message communication in my application.

My PM thinks doing x509.2 encryption to XML and transport message over https will be better secured.

I was wondering, as message is being transferred over HTTPS, it is already encrypted.

So will x509.2 encryption bring any additional security? or is it just an overhead?

These messages are simple HTTPWebRequest and HTTPWebResponse types

Additional security

  1. Client and Host are under firewall
  2. HTTPWebRequest carries Authorization tokens
HaBo
  • 13,999
  • 36
  • 114
  • 206

1 Answers1

1

It's just overhead. It's already secured using SSL. It's technically more secure to encrypt the XML as well but unless you are extremely concerned about the security of this data it's probably not worth the effort.

Adam Modlin
  • 2,994
  • 2
  • 22
  • 39
  • What kind of protection can I expect by encrypting the XML? – HaBo May 21 '13 at 02:03
  • I think it depends on what sort of encryption protocol you are using. If you symmetrically encrypt the XML and send the key along with it, I would say you get no benefit. If you have a public key of where you are sending it, you could encrypt with that and it would be very secure. – Adam Modlin May 21 '13 at 18:42
  • This is with public key. So encryption over https is adding some security? But I don't get what additional protection will this public key gives that https is not giving? – HaBo May 21 '13 at 18:52
  • The only real advantage is that if somehow the HTTPS connection was compromised, the XML would still be encrypted. – Adam Modlin May 24 '13 at 17:10
  • How can https connection be compromised? don't mind, trying to know all possibilities. – HaBo May 24 '13 at 18:40