If you turn off mutual authentication, be aware of service spoofing
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
If you are running your service in a scenario in which mutual authentication has been turned off, be aware that your service may be spoofed by a malicious attacker. Without mutual authentication, calls to your service may be diverted to a malicious service
through DNS poisoning or a man in the middle attack.
The follow scenarios will result in mutual authentication being turned off:
- If you turn off message and transport security on your binding
- If you use basicHttpBinding which has message and transport security turned off by default
- If you use NTLM authentication