Myth #5: A Two-Way Certificate Exchange Between a SOA Web Service and a Client Can Always Be Trusted. [False.]

Posted: December 1, 2011 in IT policy, SSL
Tags: , , , ,

Today’s SSL myth in our series deals with two-way certificate exchanges between a SOA web service and a client. We’ve already explained why one-way certificate authentication of a SOA web service is not guaranteed to be secure simply because it uses HTTPS. Now onto two-way certificate exchanges.

SSL achieves its security by using certificates to authenticate each side of a connection made between
two parties—a web server and a client (usually a web browser)—which are based on public
key cryptography. The SSL protocol assumes that, if a public key can be used to decrypt a piece of
information, then it’s all but certain that the information was originally encrypted with the corresponding
private key.

When initiating a two-way SSL session, the client will check that the SOA web service certificate is
valid and signed by a trusted entity. The server running the web service publishes a certificate—a
little chunk of data that includes a company name, a public key and some other bits and pieces—
and when the client connects to the server, the client sends the server some information encrypted
using the public key from the certificate. The server then decrypts this using its private key. Once
the connection is established, all information during that session is encrypted with this information.

Since only the server knows the private key—and hence, only the server can decrypt the information
encrypted with the public key—this allows the client to prove that it is communicating with the
rightful owner of the certificate. Herein lies the flaw.

To defeat this setup, the MITM (Man-in-the-middle) only has to do a little bit more work. It has to create its own certificate with a private / public key pair, sit between the client and server—acting as server to the
client and client to the server—and listen in on everything sent between the two.  Surprisingly simple, isn’t it?

  1. […] SSL Myth Busting: A Two-Way Certificate Exchange Between a SOA Web Service and a Client Can Always B… ( […]

  2. […] SSL myths. Suffice it to say that Skype is not nearly as secure as people think. As we saw in Myth 5, the public key cryptography is susceptible to the infamous MITM attack. As a result of these […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s