WCF Binding Transport Security With Windows Credentials

0
votes

I have a WCF service and need to exchange confidential information with clients. The clients will be connecting to the service over the Internet. If my binding is configured as follows, is the communication between the client and server prone to eavesdropping or a MITM attack? 

<bindings>
    <netTcpBinding>
        <binding name="myBinding">
            <security mode="Transport">
                <transport clientCredentialType="Windows" />
            </security>
        </binding>
    </netTcpBinding>
</bindings>

I have read the following in an MSDN article

Use transport security in the following scenarios:

You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems. Both the service and the client are located in an intranet.

and

Using transport security has the following disadvantages:

Security is applied on a point-to-point basis, with no provision for multiple hops or routing through intermediate application nodes

If I am connecting directly to the WCF service and the server is not forwarding the message anywhere else, would transport security be secure enough?

I have tried message security using a digital certificate but the performance was not good at all. The fastest call to the server is taking 3 seconds whereas in transport security the same call is taking 1.5 seconds.

1
wcfencryption

1 Answers

0
votes

I strongly discourage the use of netTcpBinding over internet (and so it does the article you posted), Transport security is of course the most performant option but the downside it that it can only guarantee point to point connection and over internet you can't know how and may intermediaries you have between the client and the service. In intranet application you typically have a controlled environment and you can be sure of that.

Over internet you should use an http transport and message security, that implies you have to pay something about overhead and consequently performance.

As said you can't compare the latency of the two different bindings, you should use WsHttpBinding and like you already tried encrypt the message with a certificate, this is by far the most secure way to send data with WCF on a internet scenario, I think if it really matters you should accept the performance decreasing in exchange of that.

This could be a useful link http://wcfsecurityguide.codeplex.com/