If you turn off mutual authentication, be aware of service spoofing

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

If you are running your service in a scenario in which mutual authentication has been turned off, be aware that your service may be spoofed by a malicious attacker. Without mutual authentication, calls to your service may be diverted to a malicious service through DNS poisoning or a man in the middle attack.

The follow scenarios will result in mutual authentication being turned off:
  • If you turn off message and transport security on your binding
  • If you use basicHttpBinding which has message and transport security turned off by default
  • If you use NTLM authentication

Last edited Apr 17, 2008 at 12:53 AM by prashantbansode, version 1

Comments

No comments yet.