Consulting - Stories from Trenches, Case Studies, and Tech Notes
Windows Authentication
Certificates
CardSpace
WCF
Hi Alik
Regarding SOA - currently only WSE (imho) gives complete solution because it implements oasis completely.
The solution mentioned is not complete since it does not protect against replay attacks and http proxy interception and changing message.
Anatoly, good points!
The goal of "SOA.." post was not to present complete solution rather show Authentication (context 1) in internet scenario (another narrowing context 2)
Complete solution is too broad statement so use above contexts to narrow.
Re WSE - today i try to stay away from it since WCF replaces it
Re replay attacks - Client certs are one of the strongest authentication mechanisms available
Re proxies and tampering - countermeasure for these would be - input validation.
imagie that i create proxy inside the WSE pipeline, or remoting pipeline like here
http://blogs.microsoft.co.il/blogs/alikl/archive/2006/11/25/App-Architecture-with-Security-in-mind-_2D00_-Video_2C00_-Part-II.aspx
or WCF pipeline like here
http://blogs.msdn.com/alikl/archive/2007/03/04/how-to-hack-wcf-new-technology-old-hacking-tricks.aspx
So no signature would help to counter these but good input validation
the full story is here http://msdn.com/SecurityEngineering
patterns & practices Security How To's Index ASP.NET 2.0 Security Questions and Answers Tamper detection
To quickly set lab environment I use VPC 2007 ( free download ). It really saves me lots of time. For
I just finished building another security workshop that covers authentication and identity technologies
My answer is "no" . I am working on solution where there is no Windows Active Directory Domain so we
Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal
