i was reading about WCF security implementations and found out that there are 2 types of security:     Transport Mode and Message Mode (or both)
If i used HTTPS for Transport Mode, is it more secured if i used Message security also? i am asking this because what i understand is as follows:
https uses SSL protocol which encrypts messages... so why should i add Message Security and encrypt the SSL encrypted message? or am i misunderstanding stuff?
The main transports used in Windows Communication Foundation (WCF) are HTTP, HTTPS, TCP, and named pipes. The topics in this section discuss choosing among these transports, configuring the transport, and setting tuning properties. WCF includes additional transports.
Securing the message with message-level security instead of transport-level security has the following advantages: End-to-end security. Transport security, such as Secure Sockets Layer (SSL) only secures messages when the communication is point-to-point.
Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data.
In other words, TransportCredentialOnly security mode passes the user credentials in the SOAP message without encrypting or signing the SOAP message, and the underlying transport connection (typically TLS/SSL) needs to ensure that the message contents cannot be seen or altered by a third-party.
Security in WCF actually consists of several features. The difference between those two is how are messages signed and encrypted.
Transport security provides only point-to-point channel security. It means that HTTPS establish secure channel only between client and server exposed to client. But if this server is just a load balancer or reverse proxy server it has direct access to content of the message.
Message security provides end-to-end channel security. It means that security is part of transferred data and only intended destination can decrypt the data (load balancer or proxy sees only encrypted message). Message security in most cases also uses certificates to provide encryption and signing but it is usually slower because transport security can use HW acceleration.
In advanced scenarios these methods can be combined. For example you can have communication to your load balancer secured by HTTPS because you trust your internal network after load balancer but in the same time you can have the message signed (message security) so you can prove that it wasn't changed.
Another difference between those two is that transport security is related to single transport protocol whereas message security is independent on transport protocol.
Message security is based on interoperable protocols (but be aware that not every configuration in WCF is interoperable). WCF supports at least partially these protocols:
WCF also supports WS-I Basic Security Profile 1.0 which is just subset of former protocols with prescribed configuration.
For non interoperable features WCF offers features like Windows security or TLSNego and SPNego (both should be generally interoperable but their are not available in many SOAP stacks) for service credentials exchange.
This link outlines the reasons to use or not to use Message security.
Basically, transport security is preferred unless it cannot be used.
An excerpt fro the link:
Pros and Cons of Transport-Level Security
Transport security has the following advantages:
Does not require that the communicating parties understand XML-level security concepts. This can improve the interoperability, for example, when HTTPS is used to secure the communication.
Generally improved performance.
Hardware accelerators are available.
Streaming is possible.
Transport security has the following disadvantages:
Hop-to-hop only.
Limited and inextensible set of credentials.
Transport-dependent.
Disadvantages of Message-Level Security
Message security has the following disadvantages:
Performance
Cannot use message streaming.
Requires implementation of XML-level security mechanisms and support for WS-Security specification. This might affect the interoperability.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With