Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Oct 2006 04:59:45 +0000 (UTC)
if the other endpoint has a trusted and valid SSL certificate, he would see the data in cleartext.
But if you let customers change the endpoint address they must be also able to change the server certificate for mutual authentication..so i don't see a real advantage to use additional message security - and you are in the same situation as with transport security.
Make sure that only authorized people (e.g. an admin) can change URIs on the client.
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
The web address my PC client program goes to for the web services is
editable by the user. This is in case the customer wants to host the
server side components on their own server. Thus they need the
ability to change the address. Thus, some malicious user could change
the address to some other server with an SSL certificate. Then an
unknowing, authorized user could attempt to log into the web site with
the PC client program, thinking its the correct one since they don't
know someone changed it (i.e. like a physical key stroke logger
hardware). The PC client program would then go to authorize,
unfortuantely to the wrong server; would then malicious server see the
user's password if I only use usernameOvertransportSecurity? I would
think the PC client would send the password unencrypted, but I am not
sure if it is still encrypted with that setting.
"Dominick Baier" wrote:
SSL is not prone to MITM attacks. You don't need additional message
based security.
SSL also does server authentication by default. Before you send data,
the client checks the server certificate which has to be trusted and
the common name must match the DNS name portion of the URL.
http://www.google.com/search?q=how+does+ssl+work&rls=com.microsoft:en
-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Hello.
I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
using my web service over SSL and the PC client application access
the web service directly (no middle man server(s)). I will be
adding the UserNameToken option to authenticate the user to the web
service. I am considering adding "usernameForCertificateSecurity"
for additional security; even though I am also using SSL. I am
concerned about "man in the middle" attacks for both the password
and data being sent back and forth. How do I decide if SSL is
sufficient? Is the password sent in an encrypted format if I only
use "usernameOverTransport Security"? Is it possible for someone to
find out the password that the PC sends for authentication to the
web service if I only use "usernameOverTransport Security"? If it
is possible to see someone's password; what's a good way to verify
the PC application is "talking" to a valid server before it tries to
authenticate by sending the user ID/Password?
.
- Follow-Ups:
- Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- From: John K
- Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- From: Steven Cheng[MSFT]
- Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- Prev by Date: RE: Error exporting RSA key container via aspnet_regiis
- Next by Date: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- Previous by thread: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle att
- Next by thread: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
- Index(es):
Relevant Pages
|
|
