Secure WAP?

J

jano

Well-Known Member
Joined
Mar 22, 2005
Messages
343
Reaction score
0
Location
Pretoria
Hi MTN DD (or anyone else)

The basic data route for a user accessing a web site via cellphone is as follows (correct me if I'm wrong):

Cellphone <-WAP-> WAP Gateway <-HTTP-> (The Internet) <-HTTP-> Web server

Some questions:
  1. The WAP gateway does conversion between HTTP and WAP - correct?
  2. Can the Web server provide "WAP ready content"? (E.g. what does OperaMini do?)
  3. Main question: How can one secure data between the cellphone and the Web server?
Obviously on the internet side you can use https/ssl. But how does WTLS (Wireless Transport Layer Security) work, and how does the WAP Gateway convert between WTLS and SSL?

As owner of the Web server/site, I would have no control over the WAP Gateway. How would I know:
  1. That the cellphone<-WAP->Gateway link was secured with WTLS? Can it be enforced?
  2. That the WAP Gateway is not logging a cleartext version of the secure data during the process of converting from WTLS to SSL?
Any (even partial) answers will be appreciated. Thanks.
 
That's how it used to be with older phones, you had to have a wap gateway, nowdays, the gateway is actually a proxy server, in fact, if you set up your own APN on your phone, it is possible to skip the gateway setup completely and the phone will still be able to access websites.

The protocol that is more common now is XHTML, which is generally able to display normal webpages as well as XHTML content.

as for security, many phone now integrate access to the HTTPS protocol, and thus the connection can be secured between server and client with the gateway (proxy) only forwarding a secured transaction.

My understanding is that you presently have a server that serves WML based content, the WML format imo for all intensive purposes will die a slow death over the next year or two and be replace with better 'active' content using XHTML. my suggestion, make the switch and you get these benefits automagically...

D
 
The basic data route for a user accessing a web site via cellphone is as follows (correct me if I'm wrong):

Cellphone <-WAP-> WAP Gateway <-HTTP-> (The Internet) <-HTTP-> Web server

Some questions:

1. The WAP gateway does conversion between HTTP and WAP - correct? Yes, especially for WAP 1.x. For WAP 2.0 the mobile uses wHTTP (wireless profiled HTTP), so then there is no real conversion.

2.Can the Web server provide "WAP ready content"? (E.g. what does OperaMini do?) The Web server can see in the HTTP header what the UAProf value is of the requesting mobile and format the content specifically if it wishes.

3. Main question: How can one secure data between the cellphone and the Web server? WAP 1.x uses WTLS between the mobile and the WAP GW, with HTTPS on the Internet side. WAP 2.0 uses end-to-end HTTPS.

Obviously on the internet side you can use https/ssl. But how does WTLS (Wireless Transport Layer Security) work, and how does the WAP Gateway convert between WTLS and SSL? It terminates the WTLS tunnel and creates a new HTTPS tunnel.

As owner of the Web server/site, I would have no control over the WAP Gateway. How would I know:

1. That the cellphone<-WAP->Gateway link was secured with WTLS? Can it be enforced? The URL requested will be https://......, so it is enforced.s

2. That the WAP Gateway is not logging a cleartext version of the secure data during the process of converting from WTLS to SSL? You just need to trust us


Any (even partial) answers will be appreciated. Thanks.

Here my answer seeing that I wasn't here

MTNDD
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X