I'm still in the process of trying to better understand WCF security.
One question that I can't seem to get a grip on is… if message level security is used, then the entire message can be signed/encrypted. If this is the case, would it ever make sense to use both message level security AND transport level security? In other words, if the message itself is secure, why would I need to use something like HTTPS for transport security?
Thanks.
HTTPS (SSL, TLS) offer point-to-point secuirty. I already explained what does it mean in one of my previous answers.
Term Security in WCF has 4 components:
- Authentication - credentials passed to server to identify client
- Authorization - selectively define which operations can be executed by authenticated client
- Confidentality - encryption - only expected receiver is able to decrypt the message and read confidental data
- Integrity - signing - expected receiver can validate that message is from declared client and it was not modified during transmission
Authorization is always part of WCF application itself. Authentication is part of WCF application or hosting system - transport protocol can be only used to transport credentials, not to validate them. Confidentality and Integrity is responsibility of transport protocol (transport security) or WCF application (message security). So if you are using encryption and signing on the message level you don't need transport security.
If you use message-level security in the form of encryption, then you should not need to also use transport-level encryption. However, doing so will certainly make your message more secure. If you only use message-level security to sign outgoing messages, then you will also want to use transport-level security if your message contains sensitive information.
It is important to use transport-level security when no message-level encryption is used. In fact, WCF requires you to use SSL when using UsernameToken plaintext, for example.
As far as I remember it's only possible to use both transport and message level security when using NetMsmqBinding.