I've got a WCF service that has 开发者_StackOverflow中文版the security configured as below.
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
</security>
This seams to me to be pretty secure but can anyone tell me how secure? Is this a good way of securing my service? Are there any vulnerabilities that I should know about?
Two main mechanisms are used to implement transfer security in WCF: transport security mode and message security mode.
Transport security mode uses a transport-level protocol, such as HTTPS, to achieve transfer security. Transport mode has the advantage of being widely adopted, available on many platforms, and less computationally complex. However, it has the disadvantage of securing messages only from point-to-point.
Message security mode, on the other hand, uses WS-Security (and other specifications) to implement transfer security. Because the message security is applied directly to the SOAP messages and is contained inside the SOAP envelopes, together with the application data, it has the advantage of being transport protocol-independent, more extensible, and ensuring end-to-end security (versus point-to-point); it has the disadvantage of being several times slower than transport security mode because it has to deal with the XML nature of the SOAP messages. A third security mode uses both previous modes and brings advantages of both. This mode is called TransportWithMessageCredential. In this mode, message security is used to authenticate the client and transport security is used to authenticate the server and provide message confidentiality and integrity. Thanks to this, the TransportWithMessageCredential security mode is almost as fast as transport security mode and provides client authentication extensibility in the same way as message security. However, unlike message security mode, it does not provide complete end-to-end security.
精彩评论