How to protect ad hoc ws discovery network from man-in-the-middle attacks
the ws-discovery spec explains how to protect your network from
- message change
- Denial of service
- replay
- Substitution
but what about a man-in-the-middle attack?
source to share
It is my understanding that the "message change" mitigation that signs messages protects the interaction from a man-in-the-middle attack. If you can verify the origin of a message and its authenticity against the unique subscriber of the sender, then anyone who tries to pretend to be the legitimate sender cannot.
source to share
The idea behind Man in Medium Attack (Wikipedia.org) is that your network is compromised and an attacker can intercept, view and modify traffic between all participants. The easiest step to prevent this is to encrypt the network with WPA (at a minimum) and block the access points. Your goal should be to prevent an attacker from entering the network first. The second layer of protection you can use is to use some form of encryption for all traffic between parties on the network (possibly something other than public / private), so even if the network is compromised, there will still be no traffic the cracker is understandable.
source to share