ScientiaMobile

Hello,

I noticed in Wireshark that the traffic that goes to the cloud service is using HTTP only. The header contains the authorization field with the Base64 encoded copy of the API secret. Is there anyway to configure the client to communicate through HTTPS?

Thanks,
Clement

Edit: sorry I typed it in a haste, fixed some mistakes. But I am concerned about the security of this traffic even though it is server to server. I just need to know whether or not SSL can be enforced or if the current client can communicate via HTTPS. Thanks.

Hi Clement,

During the design of the WURFL Cloud Service we made the decision not to support SSL connections due to the fact that SSL negotiation/handshaking significantly increases latency for a limited benefit. Our feeling is that the risk of providing the API credentials in clear text is worth the benefit of the decreased latency. Is there a reason why you are particularly concerned about the API key?

It is just a general security concern. I suppose it is fine given that the communication is between server to server. It was just something that caught my eye.

Thanks for the prompt response.
Clement

I can certainly understand your concern. Currently you cannot enforce an SSL connection. In any case, we would likely use a pre-shared key / hashing mechanism to secure the credentials in transit instead of SSL due to the aforementioned latency issues with the SSL handshake.

It looks like the only practical solution is to compile our client with a different version of the JSON DLL. Can you send us the Newtonsoft.Json.dll that your CMS is using to support@[our domain name], or tell me how to obtain that DLL, so we can figure out how to proceed?