0

Scenario

  • WCF service on our public DNN website using a WsHttpBinding over SSL.
  • security mode is TransportWithMessageCredential
  • Requires Username and password authentication
  • One WCF client consuming the service on our Intranet

I understand the basic idea of point-to-point security using SSL, but my question is - can I still have point-to-point security if my client app (on our Intranet) is connecting to a WCF service on our public website over SSL? Does this service being on the Internet open it up for "man in the middle" attacks considering the communication is going over the Internet? Am I not fully understanding man in the middle attacks?

I should note, the app on our Intranet is the only client that will be using this service or at least, this isn't something that I'm going to allow (give out other username/passwords) anyone else to consume or use.

Thanks

Mark B
  • 1,166
  • 1
  • 19
  • 31
  • If you're using digital certificates to create the SSL connection, I don't see any issue with "man in the middle" attacks. As you mentioned, just don't give out any user names or passwords. – Bernard Jul 17 '12 at 20:55
  • Does the situation change at all if the WCF service allows our customer service to reset DNN passwords for users? Meaning, it returns the users temp password as a string (in the XML). – Mark B Jul 17 '12 at 22:19
  • As long as a secure connection is first established, all communication to and from your WCF services is secure. Without a secure connection, your WCF services would be prone to packet sniffing and other security attacks. – Bernard Jul 18 '12 at 02:20

0 Answers0