1

I'm trying to understand more why I shouldn't use WCF transport security over the internet. From the answer here I'm told the chain of hops may not be secure. But isn't transport security just like https (which is widely used on the internet)? Or maybe I should ask, what is the difference between wcf transport and https?

If I need to explain myself clearer, please comment.

Thanks

Community
  • 1
  • 1
Steve
  • 1,584
  • 2
  • 18
  • 32

3 Answers3

1

Transport security is indeed very similar to HTTPS (and identical in many cases). What it provides you is an encrypted tunnel between your client and the server. Providing there's a direct connection from your client to your server, it's perfectly fine (providing that your client verifies that it got the right server certificate). If your client is talking to another intermediate server, on which you rely to pass the message to your server - then that intermediate server would get unencrypted data.

An example :

You have a company that processes payments. Because of some regulations, you need servers in each country, and those in turn pass the requests to your main server in the US.

You want to make sure that even if the local hosting company tries to find out what details are being passed, they can't.

That is what Message Security provides you - you trust only the client and your main servers, so you want only them to be able to encrypt and decrypt.

With Transport Security, there would be two transitions - the client will encrypt, and the intermediate server will decrypt. Then it will encrypt again, and your main servers will decrypt. As you can see, there is an intermediate phase where the data is plain in RAM in the intermediate server.

This MSDN article describes it very well, and where to use each : MSDN

kobigurk
  • 731
  • 5
  • 14
  • Using your example. If I didn't have local servers in each country, but I was still in another country and the requests needed to go through plenty of routers to get to the main server, is my requested encrypted and decrypted then? – Steve Oct 03 '13 at 06:45
  • 1
    routers are OK, those are not hops in that sense. Transport Security (let's consider HTTPS) provides security (including encryption) between the client and servers, providing that the client ensures that it got the right certificate from the server. – kobigurk Oct 03 '13 at 06:52
  • Thanks kobigurk. What you say makes sense. So if I have set up no intermediate server then transport security over the internet should be no problem? just to double confirm :) – Steve Oct 03 '13 at 07:01
  • 1
    Yes - again, providing that you verify the certificate. WCF does that using Windows' own validation, which relies on the root server certificates installed on that PC, usually gotten from Windows Update (there should be several hundred). We use Transport Security exclusively, but I believe that if we were processing sensitive information and didn't want to rely only on SSL (which had some implementation bugs the last few years), we would use Message Security as well. For all that is concerend, Transport Security using HTTPS is as good as SSL. – kobigurk Oct 03 '13 at 07:06
  • Thanks, I'm going to sleep easy tonight. – Steve Oct 03 '13 at 07:06
  • In your example, isn't Transport Security redundant, since the message is already encrypted, the non US based servers will be unable to read it's content? – Kye Jul 07 '14 at 00:23
  • Kye - Transport Security is the worse option here. It provides you encryption only between the immediate server you're talking to. That means the intermediate server can read the underlying message. If we want to relate it to terms you probably know, Transport Security is like SSL, and Message Security is like string encryption. – kobigurk Jul 07 '14 at 04:16
0

Look at another answer on the link you gave. It explains that the case where transport security not sufficient is when the client doesn't check server certificate. I quoted the answer below:

Yes it is 100% secure when the clients (which most clients do) validate the server certificate.

The multiple hop scenario mentioned here is complete bogus. This is only true when the same message travels through various applications. Like for example several application brokers. If these brokers do not communicate securely then the message can be read by intermediate network sniffers.

In other words, client/server communication over the internet is 100% secure even when there are a million routers in between but it is only secure when the client validates the server certificate as the client could connect to a man-in-the-middle host that could impersonate the server with a false certificate. If the client does not validate the certificate the message could be compromised.

nikoniko
  • 833
  • 2
  • 11
  • 22
  • So is wcf transport security as secure as https then? I don't understand why the accepted answer from a (decorated) member of our community doesn't make note of this if it is indeed true. – Steve Oct 03 '13 at 06:31
  • 1
    @Steve because If there are intermediary systems between client and the service, each intermediate point must forward the message over a new SSL connection. See my answer and the link. – Ehsan Oct 03 '13 at 06:33
0

I'm trying to understand more why I shouldn't use WCF transport security over the internet

You should not because (Quoting from here).

Transport Security

Transport security is used to provide point-to-point security between the two endpoints (service and client). If there are intermediary systems between client and the service, each intermediate point must forward the message over a new SSL connection. Transport Security

Message Security

When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages. This option gives the most flexibility from an authentication perspective. You can use any type of security credentials you want, largely independent of transport, as long as both the client and service agree. Message Security

Ehsan
  • 31,833
  • 6
  • 56
  • 65
  • Can you define an "intermediate point"? Is it any hop?And by "new SSL connection", does that mean it has the decrypted credentials and message, and re-encrypts them after verifying the server certificate? – Steve Oct 03 '13 at 06:37
  • Normally, you are not going to have direct connection between client and your server. And all the points in between are intermediate points. – Ehsan Oct 03 '13 at 06:39
  • My setup mustn't be normal then. As a small app to server communicating I'm interested to know what is normal in this case - do you know? – Steve Oct 03 '13 at 07:00