I'm looking for a little help on secure cross-site communication between sites that are hosted on different domains and do not share a database. I haven't ventured into this area yet, so I'm not very familiar with what the best protocol is and what issues I need to be aware of. Beyond the ability to communicate between sites, security is my highest priority. Does anyone have any words of wisdom in this area?

So far, my two potential candidates are XMLRPC and SOAP. Are there others? What are the pros and cons of using one over the other?

I prefer XML-RPC. When communicating, be sure to use a secure connection (e.g. HTTPS) and then have some means of validating that the data sent is from your legitimate source. For example, you could have a password tag. Doing these 2 things encrypts (through the HTTPS connection) the data on transport and allows you to validate the data once received (through the password).

Additionally, you could have the receiving server post back values to the sending server which then returns a validation code if the data matches the sent data. An example of this is PayPal's IPN method.

What if an HTTPS connection isn't always guaranteed to be present?

Well, then, you'd have to encrypt the data yourself, but that's not something I've done. You may want to check out http://us2.php.net/manual/en/functio...pt-encrypt.php for a PHP encryption method -- again, NOT something I've done.

If I go that route, then I guess I would need a unique key for each site that uses it. Is there anyway that an XMLRPC request/response can be intercepted?

I'd say that it's no probably, but just about anything is possible. Your question, however, was on how to secure something. If you want the best method, use HTTPS or personally-encrypt.

Now, that's just my experience. Others out there may have better ideas -- and, I'd love to hear them.

Depending on what you're trying to accomplish you may be able to just scp files back and forth on cron jobs, assuming you have that kind of access.

What's "scp"?

scp is a *nix program that uses SSH to transfer files between hosts.

Quote:

Originally Posted by awatson

Depending on what you're trying to accomplish you may be able to just scp files back and forth on cron jobs, assuming you have that kind of access.

Unfortunately, I don't think that will be an option.

So, VM, what do you have access to? You've asked an open ended question and rejected a lot of the options presented b/c you don't seem to have much available, so it may be easier to start from the other end of this.

CHRIS: Thanks.

Quote:

Originally Posted by JeremyMiller

So, VM, what do you have access to? You've asked an open ended question and rejected a lot of the options presented b/c you don't seem to have much available, so it may be easier to start from the other end of this.

Fair enough question. I should have probably laid out the question a bit differently to begin with. Without going into extravagant detail, I'm writing a web script that I would like to release for public use. I would like to have the sites on which the script is installed to be able to communicate securely (and with the owner's permission) with my site. I won't own or have access to the other sites. More simply said, I'm looking to make a secure web service available through my PHP script.

Well, most sites, using cURL, for example, can connect to an https connection. And, you'd only have to have the HTTPS setup on your server. The other servers would just have to have support for connecting to yours and that's fairly common.

No matter what you do, there will be some crappy server that someone's on that won't allow your system to work. I've seen servers which simply ban connecting out, for example. GoDaddy, as another example, allows connecting to HTTPS, but through a proxy (their help site shows how using cURL in PHP).

I have a product out which connects to other sites and have very rarely had any problems with people connecting to the other sites to fetch information.

I'm thinking that you're making your requirements unnecessarily restrictive.

Hope that helps. TK appreciated.

The best practice for secure communication between servers is to use a secure channel, TLS (preferred over SSL) where the public certificates from each server is on the other (and the private ones private).

Each server should restrict communication to servers for which is has a cert.