First of all, both approaches are secure and will suffice for 90% of cases. Transport security secures your channel of communication, but doesn't encrypt your actual message. Message security encrypts your actual message, so servers that the message is passed through can not see the message contents and will need a private key to decrypt your messages. So one could argue message security is safer, at least its more suitable for internet communication. Some good links on WCF security:
Message Security in WCF and patterns & practices Improving Web Services Security Guide
netTcpBinding
uses Transport security by default, but that doesn't mean you can't use Message security with it. Transport security has less computation overhead than Message security (where each message is encrypted) thus it has better performance. One caveat of using netTcpBinding
over the internet is that it may not be guaranteed to work at all times (in the past I have successfully
set up netTcpBinding
over the internet though) since it uses some ports for message transmission that are not always guaranteed to be left open by network routers and firewalls (over the internet, your messages will be going through many routers and firewalls.) For internet communication, consider one of the HTTP bindings such as basicHttpBinding
or wsHttpBinding
which also supports message security.
You can use Message security like in other bindings:
<netTcpBinding>
<binding name="securedBinding">
<security mode="Message">
</security>
</binding>
</netTcpBinding>
and then set the bindingConfiguration
on your endpoints to securedBinding
.
And on the machine hosting your service (the server):
<behavoirs>
<serviceBehavior>
<behavior name="securityBehaviour">
<serviceCredentials>
<serviceCertificate
findValue="serviceCert"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavoir>
</serviceBehavior>
</behavoirs>
<services>
<service name="Service1" behaviorConfiguration="securityBehaviour">
<endpoint address="" binding="netTcpBinding" contract="IService1" bindingConfiguration="securedBinding">
</endpoint>
</service>
</services>
If you have limited clients and you know who they are, you can use self signed certificates. However if you want optimal security with many unknown clients consuming your service you're best off buying one from a known CA. You then need to install the server certificates on the server machine. Here is an article on how to secure your services with certificates, the blog also has some other useful WCF security articles that you may want to read.