Reputation: 2691
Is WCF affected by FREAK attack?
There is new attack named as FREAK
Is WCF affected by FREAK attack?
As I understood from this question there is no way how to programmatically specify allowed cipher in WCF.
Upvotes: 0
Views: 113
Answers (1)
Reputation: 151588
You need three things for FREAK to work:
- A server, allowing 'weak' (export) cipher suite requests
- A vulnerable client, allowing 'weak' cipher suite responses due to the OpenSSL/Secure Transport bug
- A man in the middle, such as a public hotspot or a rogue machine on your, your ISP's or the server's network
From the article you linked:
At the moment, Windows and Linux end-user devices were not believed to be affected.
So if you let an Android or Apple client talk directly to an HTTPS site on any server that allows 'export' cihper suites, those clients are vulnerable.
If that site happens to run a WCF service that is accessable over HTTP (BasicHttp/SOAP 1.1, WsHttp/SOAP 1.2), then yes, your WCF service is vulnerable. This means that the client can see things the server didn't send and that the man in the middle can read all traffic being exchanged by server and client.
Upvotes: 1
Related Questions
- Is this why a WCF SSL Secure Channel is faulting?
- WCF service and POODLE attacks
- WCF low level communication hacking
- What might be threats in WCF response?
- HTTPS and MITM attack
- WCF Security - protecting from Man in the middle attacks
- Is there a security bug in MY wcf application?
- WCF Transport security weakness
- Is it possible to hack a WCF client to pass message credentials w/out SSL?
- Security of WCF endpoints