I have written a WCF service that returns 'semi-private' data concerning peoples name, addresses and phone numbers. By semi-private, I mean that there is a username and password to access the data, and the data is meant to be secured in transit. However, IMHO noone is going to expend any energy trying to obtain the data, as it is mostly available in the public phone book anyway etc. At some level, the security is a bit of security 'theatre' to tick some boxes imposed on us by government entities.
The client end of the service is an application which is given out to registered 'users' to run within their own IT setups. We have no control over the IT of the users - and in fact they often tell us to 'go jump' if we put too many requirements on their systems.
One problem we have been encountering is numerous users that have system clocks that are not accurate. This can either be caused by a genuine slow/fast clocks, or more than likely a timezone or daylight savings zone error (putting their machine an hour off the 'real' time). A feature of the WCF bindings we are using is that they rely on the notion of time to detect replay attacks etc.
<wsHttpBinding>
<binding name="normalWsBinding" maxBufferPoolSize="524288" maxReceivedMessageSize="655360">
<reliableSession enabled="false" />
<security mode="Message">
<message clientCredentialType="UserName" negotiateServiceCredential="false"
algorithmSuite="Default" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
The inaccurate client clocks cause security exceptions to be thrown and unhappy users.
Other than suggesting users correct their clocks, we know that we can increase the clock skew of the security bindings.
http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/
My question is, what are the real practical security ramifications of increasing the skew to say 2 hours? If an attacker can perform some sort of replay attack, why would a clock skew window of 5 minutes be necessarily safer than 2 hours? I presume performing any attack with security mode of 'message' requires more than just capturing some data at a proxy and sending the data back in again to 'replay' the call? In a situation like mine where data is only 'read' by the users, are there indeed any security ramifications at all to allowing 'replay' attacks?