0

would you please give me some recommendations about this scenario: a web application will call a WCF Service using wsHttpBinding and the WCF is IIS hosted in a company' server. my problem is that I kind of stuck about security, as far as I know the wsHttpBinding is configured with message security and Windows Authenticication by default (for the moment I cannot use any SSL Certificate because the company doesn't has any and not any plans to get one), but is it enough to provide security to my WCF? do I have to use any other kind of security (transport, transport with credentials, etc)? in my opinion I think is enough but could you tell me if I' wrong and have to specify any other security?

Pablo Tobar
  • 614
  • 2
  • 13
  • 37
  • Windows Authentication means you are on an intranet. If you wanted, you could install Certificate Services and use your own internals certificates. Otherwise, do you really intend to transmit unencrypted Windows accounts and passwords on the public Internet? SSL certificates are free with Let's Encrypt. – Panagiotis Kanavos Feb 28 '17 at 16:33
  • 1
    Besides, WCF Transport Security for HTTP means SSL. – Panagiotis Kanavos Feb 28 '17 at 16:37
  • Thanks, so for internet consuming purposes do I have to specify other type of security? I understand and believe that uses a SSL certificate is the best option but I cannot create any, actually don´t have any permissions that allow me to create even a self SSL certificate, do I have any other option? – Pablo Tobar Feb 28 '17 at 16:40
  • 1
    This isn't exactly a software question, perhaps not even a technical one. You can encrypt the connection in the standard way using SSL, or you can require VPN connections from clients to the unprotected web service. That's *not* cheaper by the way. This has nothing to do with WCF. That's how the Internet works. Perhaps the company should reconsider why they don't want to use SSL – Panagiotis Kanavos Feb 28 '17 at 16:54
  • thanks for the answer – Pablo Tobar Feb 28 '17 at 17:04
  • Take a look on this threat http://stackoverflow.com/questions/1570939/wcf-message-security-without-certificate-and-windows-auth – olavooneto Feb 28 '17 at 20:18

0 Answers0