Deployment for Encrypted Use

Using authentication, especially the Windows NT challenge/response authentication method, will give you a somewhat secured environment. Nevertheless, when transferring sensitive data over the Internet, authentication is just not enough—encryption needs to be applied as well.

Hosting your components in IIS gives you a head start when it comes to encryption, as you can easily leverage the built-in SSL capabilities. All it takes is installing a server-side certificate^[1] and changing the URL in the client-side configuration file. After making an edit to just one line (changing "http:" to "https:"), all traffic will be secured—including the HTTP headers, authentication information, and, of course, the transferred data.

The changed configuration file looks like this:

 <configuration>   <system.runtime.remoting>     <application>       <client>         <wellknown type="Server.CustomerManager, Client"                      url="https://localhost/MyAuthServer/CustomerManager.soap" />       </client>     </application>   </system.runtime.remoting> </configuration> 

SSL encryption is sometimes accused of imposing a somewhat huge overhead. This is not always true, because the "real" asymmetric cryptography only takes place during the process of establishing the secured HTTP connection. This secure connection will be reused, and the overhead thus minimized.

When testing the example in Chapter 2 using both HTTPS and HTTP, you'll see that a binary formatter via HTTPS/SSL is faster, and fewer bytes are transferred over the network than when using a SOAP formatter via conventional HTTP.

^[1]Hint: You can get free certificates for development purposes from Verisign (http://www.verisign.com).