Reputation: 1161
In WCF, why we say Transport is least security option?
I read about fortify article about WCF Misconfiguration: Transport Security Enabled. it seems that Transport security is the least security option.... and Transport security option is vulnerable to man-in-the-middle attack...
I am not sure about the reason.... could anyone give me more specific details ?
Upvotes: 1
Views: 1043
Answers (2)
Reputation: 4275
Basically there are two ways of providing security in WCF.
Transport Security-Securing the transport channel is called transport security.Each (http,tcp,etc) have their own way of providing transport security like implementing SSL(Secured socket layer).
The main disadvantage of transport security is ,the security is applied only for the transmitting the channel's one endpoint to another endpoint and there is no provision of security for multiple hops or routing through intermediate nodes.
Say for an instance ,after a message or a data packet reaches form server's endpoint to clients endpoint and there is a reverse proxy or load balancer which transmits/forwards the message to another destination ,here there is a possibility that the message can be tampered by intermediaries(middle man) who/which are forwarding the data packet because security ends/limitedonly to the channel not outside the channel. Hence,Transport security is the least security option considered in WCF.
To overcome this you can use Message Security
Message Security-Securing the message itself by encapsulating the security credentials with every SOAP request between client and server is called message security.
It provides end to end security because the message security directly signs and encrypts the message having intermediaries doesn't break the security but performance is hit.
Upvotes: 1
Reputation: 2115
If your message goes from A to C through B like this:
A > https > B > https > C
Server B can see and tamper it.
And in case of:
A > https > B > http > C
External MITM is possible:
A > https > B > http > X > http > C
But in simple case of 2 endpoints:
A > https > C
that would be quite secure.
Upvotes: 1
Related Questions
- WCF Transport vs Message
- WCF - Does Transport Security only work for Intranet Scenario?
- Transport-level vs message-level security
- Wcf transport security
- Transport security in WCF
- What should I choose in WCF Security - Transport or Message Security
- WCF Transport Security
- WCF Transport Security
- Is Transport Level Security Necessary When Using Message Level Security in WCF?
- Is Transport security a bad practice for the WCF service over the Internet?