Home/ Questions/Q 3441468
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T08:33:24+00:00

I’m reading a book on WCF and author debates about pros of using message-level

  • 0

I’m reading a book on WCF and author debates about pros of using message-level security over using transport-level security. Anyways, I can’t find any logic in author’s arguments

One limitation of transport
security is that it relies on every
“step” and participant in the network
path having consistently configured
security. In other words, if a message
must travel through an intermediary
before reaching its destination, there
is no way to ensure that transport
security has been enabled for the step
after the intermediary (unless that
interme- diary is fully controlled by
the original service provider). If
that security is not faithfully
reproduced, the data may be
compromised downstream.

Message security focuses on ensuring the integrity and privacy of
individ- ual messages, without regard
for the network. Through mechanisms
such as encryption and signing via
public and private keys, the message
will be protected even if sent over an
unprotected transport (such as plain
HTTP).

a)

If that security is not faithfully
reproduced, the data may be
compromised downstream.

True, but assuming two systems communicating use SSL and thus certificates, then the data they exchange can’t be decrypted by intermediary, but instead it can only be altered, which the receiver will notice and thus reject the packet?!

b) Anyways, as far as I understand the above quote, it is implying that if two systems establish a SSL connection, and if intermediary system S has SSL enabled and if S is also owned by a hacker, then S ( aka hacker ) won’t be able to intercept SSL traffic travelling through it? But if S doesn’t have SSL enabled, then hacker will be able to intercept SSL traffic? That doesn’t make sense!

c)

Message security focuses on ensuring the integrity and privacy of individ-
ual messages, without regard for the network. Through mechanisms such
as encryption and signing via public and private keys, the message will be
protected even if sent over an unprotected transport (such as plain HTTP).

This doesn’t make sense, since transport-level security also can use encryption and certificates, so why would using private/public keys at message-level be more secure than using them at transport-level? Namelly, if intermediary is able to intercept SSL traffic, why wouldn’t it also be able to intercept messages secured via message-level private/public keys?

thank you

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think I see what he’s getting at. Say like this:

    Web client —> Presentation web server —> web service call to database

    In this case you’re depending on the middle server encrypting the data again before it gets to the database. If the message was encrypted instead, only the back end would know how to read it, so the middle doesn’t matter.

    • 0