Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc. © 2004 VeriSign, Inc. A Quotation “I have seen the future and it has angle brackets.” A Web Services Architect 2 More Quotations “Without Trust and Security, Web Services are dead on arrival.” Phillip Hallam-Baker “Unless you fix Internet crime people are not going to be very confident in your ability to secure Web Services.” One of his customers 3 Internet Crime + It is real, it is organized, it is for profit + Spam was the start, phishing is the merely the current tactic + Has required a re-evaluation of legacy Internet protocol security + Email was not designed to be secure + Phishing gangs are now exploiting that lack of security + Direct losses due to fraud are hundreds of millions + The cost of lost consumer confidence is potentially much higher + SSL held the line for ten years + During which time little was done to improve the user interface + Introduction of domain authenticated certificates reduced security assurance + IPSEC, DNSSEC don’t really meet the security issues of Internet crime + Designed for very different threats + What is to be done? 4 Industry Solution – Retrofit Web Services Architecture + Not acknowledged as such (of course) + Not even an acknowledgement that there is a systematic architecture + But close similarities exist + Example: Web Services Discovery and Protocol Negotiation + + + + + XML defines common protocol syntax XML-Schema defines data structures WSDL describes message set etc. WS-Policy allows negotiation of protocol version and features WS-SecurityPolicy allows negotiation of security context + Fixing Email + Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail + But each adds a security policy layer to the existing SMTP protocol + “All legitimate mail from this domain comes from these IP addresses” + “All legitimate mail from this domain is signed” 5 Using the DNS for Protocol Policy Distribution + SPF (Sender Policy Framework) stores protocol policy in the DNS + Lightweight & ubiquitous protocol designed for name resolution protocol + Works very well for policy distribution + Has built in caching, time to live + No cryptographic security + But this is now a matter of time due to level of attack + Why not extend to general security policy distribution protocol? + Does this web site support SSL? + Negotiate transparent upgrade using HTTP SSL + Does this email server support SSL? + Always on security + Why not distribute WS-Policy statements via DNS? + We are not there - yet 6 Rediscovering the Edge + Traditional Internet architecture regarded firewalls as evil + End-to-end security or nothing + Usually ending up with nothing or next to nothing + Web Services & Web Services Security model embrace firewalls + “Here is the information you need to let me through” + Security architectures to address Internet Crime rediscover the edge + Authenticate email at the domain level + Apply authentication to email at the edge server + Verify authentication at the incoming edge 7 ‘Web Services Lite’ + Legacy Internet Protocols packaged in Web Services friendly form + SOAP is not supported + Protocol must be hand coded + Syntax and specification are idiosyncratic + But allow client to answer important questions + What version of the protocol are supported? + What security enhancements are supported? + Is there a pure Web Service connection available? + But acknowledge the fact that edge security is legitimate + Network infrastructure is not abstracted away in security model + End-to-End considered a cop-out, ignoring the real security issues 8 What are the Implications for Web Services? + Lessons learned #1 + Its not the technology, it’s the deployment strategy + Lessons learned #2 + Its not the standards body, it’s the constituency of stakeholders + See Lesson #1 + Lessons learned #3 + Make the barriers to entry exceptionally low + See Lesson #1 + Lessons learned #4 + The bad guys attack the system at its weakest point + That is often the consumer + See Lesson #1 9 What are the Implications for Web Services? + Web Services Lite is being deployed + + + + SPF/Sender-ID Email authentication has critical mass Considerable backing for Domain Keys/Identified Internet Mail Internet crime provides a major forcing function Expect businesses to sign SMTP mail by default in near future + It would be good to use as much Web Services experience as possible + If only to serve as prototype deployment/sanity check for Web Services + Legacy protocols are in flux, change is possible + Potential downside + It is concluded that the legacy internet protocols are sufficient + No need to move to new platforms such as SOAP + Potential upside + Close many of the security holes that create ‘gotchas’ for Web Services + Co-opt Web Services Lite to provide low barrier to entry for true Web Services 10 Beyond EDI with angle brackets + One view of Web Services is to provide ‘frictionless capitalism’ + XML is better than the ASN.1 in EDI because wind resistance of the angle brackets is lower… + Web Services will connect big company to big company + + + + Electronic supply chain Smaller companies will be bullied into line and forced to comply Huge benefits for large companies Smaller companies with no ERM systems to integrate to will get ? + Perhaps there is another approach + Support the small business doing one Web Services transaction a week + Real-Time integration will still require infrastructure 11 Web Services without the server + Servers represent a real cost to a small business + + + + Software is expensive, requires specialist coding skills Maintenance is even more expensive Have to be on 24/7 Reliability requires redundant configuration + Clients are cheap + Software is subject to commodity pricing, off the shelf distribution + Client connection is more forgiving, coding errors less disastrous + Email is ubiquitous and inexpensive + With new cryptographic enhancements it is becoming reliably secure 12 Proposal: Use Email for the low cost entry point + Example: Electronic Invoicing + Transition will mean that there are multiple speeds: + Large business supports e-Invoice Web Service + Some small businesses and consumers opt to receive invoices by email + Some still receive paper + Some businesses will interface their Web Services to paper + Order received by Web Service, is printed out and sent to Accounts + Some businesses will have tight integration with their ERM system + Some will be using Quicken, QuickBooks or Microsoft Money + Application recognizes message as an invoice + Source is identified as trustworthy + Automatically enter it into the ledger. 13 Conclusions + Internet Crime is affecting Web Services + A major effect on consumer and business confidence in the Internet + Requiring redesign of legacy protocols infrastructures + Many features of Web Services are being grafted onto the legacy base + Web Services can benefit from this process + Make use of the secured legacy infrastructures + Use them to lower barriers to adoption + Make Web Services into a mass market technology, not merely EDI mkII 14 Thank You © 2004 VeriSign, Inc.