Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I created a service that uses custom binding and is secured with username / pass using ASP.NET membership. It needed a certificate, which I understand is used to encrypt the authentication info.
Does it also encrypt the whole message? Does it means the message is already secured (encrypted)? Do I get any security benefit if I access the service over SSL?
Thanks
WCF has (2) types of security – Transport Level (SSL) and Message Level (certificates, keys). If the message is not secured, any software running on the WCF host/client machine that receives the message can interpret its value. However, message security provides added protection to ensure that other apps running on your server cannot compromise the contents. The downside is performance overhead of encrypting the message contents and distribution of keys/certs. It truly depends on the needs and level of protection surrounding the applications.
If your application is internal – you likely don’t need to use message protection. There are many factors to consider though.