Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a WCF service accessible over the Internet. It has wsHttpBinding binding and message security mode with username credentials to authenticate clients.
The msdn says that we should use message security for the Internet scenarios, because it provides end-to-end security instead of point-to-point security as Transport security has.
What if i use transport security for the wcf service over the Internet? Is it a bad practice? Could my data be seen by malicious users?
No, it would be a good practice – trouble is: you cannot guarantee a complete chain of secure connections over an arbitrary number of intermediate hops when you’re dealing with an internet connection.
All you can guarantee with transport security is the link from your client to the first hop, and the link from the last hop to your server – anything in between is beyond your control. So basically, transport security over the internet is not going to work – unless you have a strictly controlled environment where you know the client connects very directly to your servers.
Due to those technical limitations, transport security only really works in corporate / LAN environments. As soon as you have no control over the routing and the intermediary hops, you need to use message security for an end-to-end security.