Secure WAP?

[jano]

Hi V3G (or anyone else)

The basic data route for a user accessing a web site via cellphone is as follows (correct me if I'm wrong):

Cellphone <-WAP-> WAP Gateway <-HTTP-> (The Internet) <-HTTP-> Web server

Some questions:

1. The WAP gateway does conversion between HTTP and WAP - correct?
2. Can the Web server provide "WAP ready content"? (E.g. what does OperaMini do?)
3. Main question: How can one secure data between the cellphone and the Web server?

Obviously on the internet side you can use https/ssl. But how does WTLS (Wireless Transport Layer Security) work, and how does the WAP Gateway convert between WTLS and SSL?

As owner of the Web server/site, I would have no control over the WAP Gateway. How would I know:

1. That the cellphone<-WAP->Gateway link was secured with WTLS? Can it be enforced?
2. That the WAP Gateway is not logging a cleartext version of the secure data during the process of converting from WTLS to SSL?

Any (even partial) answers will be appreciated. Thanks.

 

[damian24]

duplicate thread... see http://mybroadband.co.za/vb/showthread.php?t=48250

 

[vodacom3g]

From our WAP guys:

1. For WAP1 the wap gateway does conversion between WTP and HTTP. For WAP2 the wap gateway act as a proxy and no conversion happens.

2. A web site needs to provide WAP ready content to be displayed on a phone. Operamini utilizes a central server that translates normal HTML web sites to WML web sites for display on the phone.

3. If phone is WAP2 capable it can simply be done by using a secure web server with a SSL certificate. This will ensure end to end encryption. With WAP1 there is no end to end encryption. The connection from the phone to the WAP gateway can be encrypted via WTLS and from the wap gateway to the web server via SSL (https) but the content need to be decrypted and reencrypted on the wap gateway. Also with WAP1 you can't enforce the phone to use WTLS.


1. Answered in point 3 above

2. You will only have the assurance from the opco that this does not happen. Again this shortcoming is only with WAP1.

 

[jano]

Thanks. Between this site and other sources, I've concluded that using WAP 2 and a secure web site (with SSL certificate) one will achieve the desired end-to-end security.