Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle att
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 17 Oct 2006 18:40:28 +0000 (UTC)
SSL is not prone to MITM attacks. You don't need additional message based security.
SSL also does server authentication by default. Before you send data, the client checks the server certificate which has to be trusted and the common name must match the DNS name portion of the URL.
http://www.google.com/search?q=how+does+ssl+work&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Hello.
I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
using my web service over SSL and the PC client application access the
web service directly (no middle man server(s)). I will be adding the
UserNameToken option to authenticate the user to the web service. I
am considering adding "usernameForCertificateSecurity" for additional
security; even though I am also using SSL. I am concerned about "man
in the middle" attacks for both the password and data being sent back
and forth. How do I decide if SSL is sufficient? Is the password
sent in an encrypted format if I only use "usernameOverTransport
Security"? Is it possible for someone to find out the password that
the PC sends for authentication to the web service if I only use
"usernameOverTransport Security"? If it is possible to see someone's
password; what's a good way to verify the PC application is "talking"
to a valid server before it tries to authenticate by sending the user
ID/Password?
.
- Prev by Date: Re: Can't get access with some role logins - on IIS 6 only
- Next by Date: Re: Can't get access with some role logins - on IIS 6 only
- Previous by thread: RE: Error exporting RSA key container via aspnet_regiis
- Next by thread: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- Index(es):
Relevant Pages
|
|
