SSL Myth Busting: One-way certificate authentication of a SOA web service is secure because it uses HTTPS.

Posted: October 4, 2011 in SSL
Tags: , , ,

Continuing our series on SSL Myths, today we deal with the security of SOA web services.  SOA’s simplicity lies in its use of descriptor-based definitions of application transactions that can be articulated directly from a business process into a service description with associated attributes in the description correlating to the procedures of the business process and sub-process threads.

Because SOA uses web-based technology, it is convenient to use SSL as the mechanism to secure user sessions. SSL can be used to tunnel any application-level protocol, which would be otherwise run on top of TCP in the communications protocol stack. The most common use nowadays is to secure the HTTP communication vis-à-vis HTTPS, in which case the user’s browser is not authenticated — only the server side is authenticated by SSL. This is known as one-way SSL authentication. Sounds safe? Think again.

Man-in-the-Middle  (MITM) attacks have been successful against this authentication scheme for at least 10 years.

Myth debusted.

Comments
  1. […] the next post in our series debunking SSL myths. Today’s myth: Online banking via SSL session is secure. The answer is  […]

  2. […] the next post in our series debunking SSL myths. Today’s myth: Java Authentication and Authorization Services (JAAS) […]

  3. […] two-way certificate exchanges between a SOA web service and a client. We‘ve already explained why one-way certificate authentication of a SOA web service is not guaranteed to be secure simply be…. Now onto two-way certificate […]

  4. […] two-way certificate exchanges between a SOA web service and a client. We’ve already explained why one-way certificate authentication of a SOA web service is not guaranteed to be secure simply be…. Now onto two-way certificate […]

  5. […] the next post in our series debunking SSL myths. Today’s myth: Java Authentication and Authorization Services (JAAS) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s