Hopefully a quick question.
I want to secure my WCF service that will be consumed by a known party. Our organisation trust theirs and vice versa.
This service is already restricted by IP address, so we know the caller must have come from their network.
However I would like it to be protected against malicious developers within that organisation. In theory they could write a Bad App and install it anywhere on this network, and call our service, which would return the data.
I think a way around this would be to also use Client Certificates, which would be validated using Peer Trust. Each request would send this certificate, which we would validate on the WCF service, and send back the data.
My question – is this going to protect against the malicious developer scenario outlined above? We would know that the request would have to originate on the server with the client certificate installed (right?) – and I imagine it should be difficult for a malicious developer to get a Bad App on there. It is a shame we can’t tie it down to exactly the client application – or could we?
Any help appreciated – just want to make sure I nail my understanding of this!
If you will be granting access to your service based on the specific incoming client certificate, it should be as secure as the private key of that certificate. That is, if the private key is kept safe in the other organization, your service will be as safe (as safe as that public/private key pair of the certificate in terms of encryption).
If the private key is compromised within the other organization, for example, an attacker has access to it on the remote server, or is able to copy it to another remote server, then that attacker has access to your service. Because, once they have the private key, they can use the client certificate to connect using an SSL connection, and then they just have to pass the IP address check. Protect the client certificate’s private key.