J
John K
Hello.
I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am using my
web service over SSL and the PC client application access the web service
directly (no middle man server(s)). I will be adding the UserNameToken
option to authenticate the user to the web service. I am considering adding
"usernameForCertificateSecurity" for additional security; even though I am
also using SSL. I am concerned about "man in the middle" attacks for both
the password and data being sent back and forth. How do I decide if SSL is
sufficient? Is the password sent in an encrypted format if I only use
"usernameOverTransport Security"? Is it possible for someone to find out the
password that the PC sends for authentication to the web service if I only
use "usernameOverTransport Security"? If it is possible to see someone's
password; what's a good way to verify the PC application is "talking" to a
valid server before it tries to authenticate by sending the user ID/Password?
I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am using my
web service over SSL and the PC client application access the web service
directly (no middle man server(s)). I will be adding the UserNameToken
option to authenticate the user to the web service. I am considering adding
"usernameForCertificateSecurity" for additional security; even though I am
also using SSL. I am concerned about "man in the middle" attacks for both
the password and data being sent back and forth. How do I decide if SSL is
sufficient? Is the password sent in an encrypted format if I only use
"usernameOverTransport Security"? Is it possible for someone to find out the
password that the PC sends for authentication to the web service if I only
use "usernameOverTransport Security"? If it is possible to see someone's
password; what's a good way to verify the PC application is "talking" to a
valid server before it tries to authenticate by sending the user ID/Password?