When using WSDUALHTTPBINDING with message security, is it recommended to use Transport security also [i.e SSL]? Maybe it depends on the scenario. In my case, both client and service are located on an intranet. If the service was on a webserver over the internet would the answer be different ?
Update now that i know wsduallhttpbinding does not support transport security, is message security as secure or should i use another binding that supports ssl under my scenario
The wsDualHttpBinding does not support transport-level security, meaning that SSL/TLS encryption is not possible. The following references confirm transport security is not an option with the wsDualHttpBinding binding:
MSDN: The WSDualHttpSecurityMode Enumeration is limited to two options: Message & None
http://msdn.microsoft.com/en-us/library/ms731363(v=vs.110).aspx
http://msdn.microsoft.com/en-us/library/system.servicemodel.wsdualhttpsecuritymode(v=vs.110).aspx
Note: I also checked the Microsoft® Service Configuration Editor (image below) to validation the options.
The following online resource provides good background information:
http://wcfsecurityguide.codeplex.com/
Note: The scenario intranet vs internet web service does not factor into the answer because the proposed configuration would be invalid either way. Therefore, no SSL unless you change the binding.
Regards,
The wsDualHttpBinding doesn't support Transport security as explained here: http://msdn.microsoft.com/en-us/library/ff648589.aspx
Binding limitations: Transport security does not work with wsDualHttpBinding.
You can rely on Message security. It uses WS-Security to protect each message.
UPDATE: As I said, you can rely on Message security, it provides end-to-end security. You can find here the detailled explaination: http://msdn.microsoft.com/en-us/library/ff648863.aspx
The downside of Message security is mainly that it is a bit slower as every message as to be encrypted, but don't worry it is secure enough you don't need to change bindings.
Per the original question:
When using WSDUALHTTPBINDING with message security, is it recommended to use Transport security also [i.e SSL]?
As stated, WSDualHttpBinding does not support security at the Transport level. So the original question is sort of defeated.
Per the update to the question:
Update now that i know wsduallhttpbinding does not support transport security, is message security as secure or should i use another binding that supports ssl under my scenario
Message level security is actually superior as it provides end-to-end security. Transport level security only provides point-to-point security.
Message security directly encrypts and signs the message so even routing the messages through intermediate systems does not break the security. You also get the additional bonus that message security is transport-independent so it can be used with any transport protocol.
MSDN actually recommends using message security in internet scenarios:
Use message security in the following scenarios:
- You are sending a message to a WCF service, and the message is likely to be forwarded to other WCF services or may be routed through intermediate systems.
- Your WCF clients are accessing the WCF service over the Internet and messages may be routed through intermediate systems.
This Message and Transport Security article on MSDN will be terrifically helpful to you.
