securing XML data

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • garethharvey
    New Member
    • Apr 2008
    • 14

    securing XML data

    We need to share sensitive XML data between servers, both servers run with SSL certificates and the XML file is transferred via https://

    Would there be any additional need to encode the data?
  • jkmyoung
    Recognized Expert Top Contributor
    • Mar 2006
    • 2057

    #2
    If you need your data to be more secure, then go ahead and encrypt it. This does add to the overhead.

    This seems like something that would depend on your corporate policies. Do you generally encrypt data additionally even after using SSL as security?

    Comment

    • garethharvey
      New Member
      • Apr 2008
      • 14

      #3
      No, we don't currently encrypt any data as the information passed to date is not 'sensitive data'.

      We are due to release a new section to our programme where sensitive data will be required, we have a policy that the site requesting the data is called through a SSL page and the data is requested on our site through an SSL page.

      We can reject the data if the referring URL is not https://

      I'm just a little cautious due to my lack of understanding of XML

      Comment

      • pronerd
        Recognized Expert Contributor
        • Nov 2006
        • 392

        #4
        Originally posted by garethharvey
        I'm just a little cautious due to my lack of understanding of XML
        Encryption does not work any differently for XML vs. any other file format. As long as all of the public connections are made though an SSL tunnel then the data is encrypted. If the info is very sensitive it would not be a bad idea to encrypt the file being sent though the SSL tunnel.

        First off it will give you extra protection in case a security hole is found in the SSL package you are using at some point in the funture.

        Secondly SSL encryption levels are usually quite low. The standard 128 bit SSL key can be defeated by a standard off the shelf PC in a few days. So having the file encrypted before it is sent with a larger key ( 512, 1024, 2048, etc. ) would add serious extra protection.

        This would add extra CPU overhead on both ends though. Extra encryption means extra CPU time, it also means more complication for other people to send data to you. You just have to decide if the extra protection is worth the extra headache.

        Comment

        Working...