If You Turn Off Mutual Authentication, Be Aware of Service Spoofing

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Be aware that your service may be spoofed by a malicious attacker if you are running your service in a scenario in which mutual authentication has been turned off. Without mutual authentication, calls to your service may be diverted to a malicious service through DNS poisoning or a man in the middle attack.

The follow scenarios will result in mutual authentication being turned off:
  • If you turn off message and transport security on your binding
  • If you use basicHttpBinding which has message and transport security turned off by default
  • If you use NTLM authentication

Additional Resources

Last edited Jun 12, 2008 at 11:33 PM by prashantbansode, version 1

Comments

No comments yet.