Continuing our series on SSL Myths, today we deal with the security of SOA web services. SOA’s simplicity lies in its use of descriptor-based definitions of application transactions that can be articulated directly from a business process into a service description with associated attributes in the description correlating to the procedures of the business process and sub-process threads.
Because SOA uses web-based technology, it is convenient to use SSL as the mechanism to secure user sessions. SSL can be used to tunnel any application-level protocol, which would be otherwise run on top of TCP in the communications protocol stack. The most common use nowadays is to secure the HTTP communication vis-à-vis HTTPS, in which case the user’s browser is not authenticated — only the server side is authenticated by SSL. This is known as one-way SSL authentication. Sounds safe? Think again.
Man-in-the-Middle (MITM) attacks have been successful against this authentication scheme for at least 10 years.