Skip to main content

Why does SecureAuth use HTTP (Port 80) for Web Services?

Question

Why does SecureAuth use HTTP (Port 80) for Web Services?

Answer

SecureAuth uses WSE 3.0 / WCF which is a message-level encryption. Since the content is already encrypted, it is more efficient to transport over port 80. Furthermore, WSE 3.0 / WCF gives us the ability to encrypt with a different key per each customer, versus SSL which is universal across all clients.

Our SecureAuth web service is based on SOAP and is hosted through IIS. Using HTTP with port 80 is the easiest and most efficient way that it can be supported. Alternatively, we can use a background windows service by WCF through TCP, but this method may result in unnecessary overhead.

Is it possible to both message-level encryption and transport-level encryption simultaneously?

Our previous testing also revealed that if we attempt to do both message-level and transport-level encryption, most intrusion detection applications will block the packets because they cannot identify what they are.