Recently I started to learn web services to use them in my applications. My objective is to minimise the risk of my SOAP requests being captured. As I understand, SOAP messages should be encrypted not only with the "https" protocol, but also using techniques known as WS-Security.
I searched the internet for some simple public web services that I could connect for the purpose of testing. All examples of SOAP messages that I have found contain hyperlinks that use unencrypted "http".
Is this kind of message secure or am I missing something?
As a reference, below is an example of a SOAP request body that is used to convert numbers to words:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<NumberToWords xmlns="http://www.dataaccess.com/webservicesserver/">
<ubiNum>this_is_a_placeholder_for_an_integer_number</ubiNum>
</NumberToWords>
</soap:Body>
</soap:Envelope>
By hyperlinks do you mean
http://schemas.xmlsoap.org/soap/envelope/andhttp://www.dataaccess.com/webservicesserver/? If yes, then those are not hyperlinks, they are XML namespaces.No request will be made to those addresses. The XML Schema of that namespace might be hosted at that address, like it's the case for http://schemas.xmlsoap.org/soap/envelope/, but that's just for convenience. The link does not need to work. A lot of namespaces don't provide that.
If you want to secure your service calls, then you have three options:
Transport level security means that you transmit a message, but you secure the transport (i.e. the pipe on which you send the message on). That means using HTTPS as opposed to HTTP. The message is in plain text, but because it's on
https://instead ofhttp://, people can't look inside.But that works on a point-to-point connection. If you are going through hops when transmitting the message, you might have proxies that act like a man in the middle and they can potentially look inside the message. If you don't want that, then you need to make the message unreadable for them. And here comes message level security where you encrypt the message itself (with extensions like WS-Security for example), instead of sending it in plain text. Even if there is a man in the middle looking at the message, they won't understand anything because it's encrypted.
And obviously, you can combine message level security with transport level security, where you encrypt the message and also send it over HTTPS. This is the third option.