If you turn off mutual authentication, be aware of service spoofing

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

If you are running your service in a scenario in which mutual authentication has been turned off, be aware that your service may be spoofed by a malicious attacker. Without mutual authentication, calls to your service may be diverted to a malicious service through DNS poisoning or a man in the middle attack.

The follow scenarios will result in mutual authentication being turned off:
  • If you turn off message and transport security on your binding
  • If you use basicHttpBinding which has message and transport security turned off by default
  • If you use NTLM authentication

Last edited Apr 16, 2008 at 11:53 PM by prashantbansode, version 1


No comments yet.