I don't understand why wcf transport layer security restrict the username/password authentication.
Okay, message encryption at wcf message security model, occurs at TCP/IP Application layer, i mean it encrypts directly the username/password using algorithms, and decrypt using the certificate key, and if someone sniff packets using man in the middle atack, if it doesn't have the key to decrypt the user credentials, it fails.
But in what consist the weakness of transport layer security that it restrict the username/password authentication?
Can someone make a man in the middle attack and see user credentials in the message at transport level security?
0
votes
1 Answers
2
votes
It is not WCF restriction. It is more like TCP restriction. TCP Transport security is done either:
- By SSL stream where certificates are used to establish trusted secured connection
- By Windows stream where windows security is used to establish trusted secured connection
User name and password itself doesn't provide anything to creating these streams. If you need to pass user name and password over connection with transport security you indeed can but you must use TransportWithMessageCredential security mode! You will have transport layer secured with certificate and user name and password in SOAP header.
