Reputation: 12739
How to prevent a man in the middle attack in https server to server communication
We will be connecting to a web service over https. This will be triggered in the background if a user performs a certain action.
The link will be between the server and the web-service though - the user will not be aware of it.
As there is no user there to see the certificate come up with an error - because this is server to server - how can we mitigate a man in the middle attack between the two servers? What would happen in the code if one were tried and the certificate failed?
We are using ASP.NET.
Upvotes: 2
Views: 619
Answers (2)
Reputation: 22064
Its up to you - you can specify your own validation behavior via
ServicePointManager.ServerCertificateValidationCallback
Default implementation is very reasonable - throw an exception when validation fails.
Upvotes: 4
Reputation: 34527
If you are using a well-written HTTP client library to consume your web service, the calls will fail if the certificate validation fails. Correct http client library will do full validation including making sure that hostname it connects to matches the subject name of the certificate, that CA is correct etc. I would hope that .NET's implementation is correct in that regard, but you should definitely test and validate that default behavior is correct.
Upvotes: 3
Related Questions
- Man In Middle Attack for HTTPS
- Encrypting ASP.NET request and response to avoid "man-in-the-middle" attacks
- SSL and Man in the middle attack
- HTTPS and MITM attack
- Preventing Man-in-the-middle attacks on non-HTTPS
- WCF Security - protecting from Man in the middle attacks
- ASP.NET and man-in-the-middle
- How to prevent HTTPS man-in-middle attack from the server side?
- secure web server asp.net
- Preventing man in the middle attack while using https