6

I have a WCF service accessible over the Internet. It has wsHttpBinding binding and message security mode with username credentials to authenticate clients. The msdn says that we should use message security for the Internet scenarios, because it provides end-to-end security instead of point-to-point security as Transport security has.

What if i use transport security for the wcf service over the Internet? Is it a bad practice? Could my data be seen by malicious users?

casperOne
  • 73,706
  • 19
  • 184
  • 253
Sergey Smelov
  • 1,081
  • 3
  • 14
  • 26

3 Answers3

8

No, it would be a good practice - trouble is: you cannot guarantee a complete chain of secure connections over an arbitrary number of intermediate hops when you're dealing with an internet connection.

All you can guarantee with transport security is the link from your client to the first hop, and the link from the last hop to your server - anything in between is beyond your control. So basically, transport security over the internet is not going to work - unless you have a strictly controlled environment where you know the client connects very directly to your servers.

Due to those technical limitations, transport security only really works in corporate / LAN environments. As soon as you have no control over the routing and the intermediary hops, you need to use message security for an end-to-end security.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • Could i ask you one more thing? What if need to transfer large amounts of data to the WCF over the Internet? Using wsHttpBinding and message security it is very slow! – Sergey Smelov Jun 03 '10 at 13:16
  • 1
    @Sergey: check out WCF Streaming - you can use wsHttpBinding for that, too - should speed things up a bit! – marc_s Jun 03 '10 at 13:22
  • 1
    @Sergey: and you could create a separate service contract without any message security for file transfer - speedier, but not very secure any more - it's a trade-off (as always, in computer science). – marc_s Jun 03 '10 at 13:22
  • What if the client only trusts a particular ssl certificate? Wouldn't it invalidate man in the middle attacks and make transport level security sutable for the internet? – axk Feb 16 '13 at 19:55
  • But if the connection is over HTTPS then the intermediates can't understand the message because it's encrypted, so why isn't transport security sufficient? (I'm not sure if that's what @axk already asks) – BornToCode Feb 11 '15 at 14:42
5

Yes it is 100% secure when the clients (which most clients do) validate the server certificate.

The multiple hop scenario mentioned here is complete bogus. This is only true when the same message travels through various applications. Like for example several application brokers. If these brokers do not communicate securely then the message can be read by intermediate network sniffers.

In other words, client/server communication over the internet is 100% secure even when there are a million routers in between but it is only secure when the client validates the server certificate as the client could connect to a man-in-the-middle host that could impersonate the server with a false certificate. If the client does not validate the certificate the message could be compromised.

Ramon Smits
  • 2,482
  • 1
  • 18
  • 20
  • So you mean using Transport security over internet, data can't be hacked ? – Upendra Chaudhari Jun 19 '14 at 05:03
  • That is correct, as long as the Transport is secure.That is what it basically says. You can choose to encrypt the message and/or the transport. But only if the Transport is secure! Sending an message over an insecure transport makes communication vulnerable. – Ramon Smits Jun 22 '14 at 21:15
1

IMO it may not be 100%

If BlueCoat can do it, then who else can?

http://directorblue.blogspot.com/2006/07/think-your-ssl-traffic-is-secure-if.html

Bob
  • 11
  • 1
  • BlueCoat relies on adding a certificate to the trusted authorities. This can't be done without client cooperation. – Polly Shaw Aug 28 '14 at 08:35