Security to web services is always not pretty straight forward…
This post primarily discusses the reasons why SSL (Secure Socket Layer) is not a best fit for ensuring web service security. SSL stands for Secure Socket Layer popularly works on Transport layer as HTTPS.
* Web services need end-to-end security, where as SSL provides point-to-point security. While passing through SSL the message has to pass through multiple intermediaries that might not have enough security protection policies enforced! These intermediaries might pose a threat in compromising the integrity, confidentiality of the message
* SSL doesn’t support non-repudiation. For definition of non-repudiation you may browse through on the net
* SSL provides security only over the transport layer but not at the message level
* If you want to encrypt Credit card information or sign a particular portion of the SOAP message then SSL is not the right option