none
Transport vs Message transfer security RRS feed

  • Question

  • Would anyone be willing to offer any commentary on Transport (SSL) vs Message transfer security in WCF?  I've read a bit about them, in particular one dissadvantage of transport security being that it works point-to-point.  What does this really mean in a B2B scenario over the Internet?  What are the weak 'points' that one needs to be aware of and how can they be mitigated?

    Friday, January 11, 2008 5:21 PM

All replies

  • Transport security is good for an intranet when a single hop can be assured. So over non secure transports use message security to encrypt the message itself, thus providing end to end security regardless of the number of intermediaries or if the transport is secure. The use of message security may introduce latency, so call pattern needs to be less chatty.

     

    In a B2B scenario use message security with a service side certificate, but unlike internet scenario the client must provide creditals in form of certificate as well.

     

    See Juval Lowy security framework at www.idesign.net for tips and suggestions and a great security framework.

     

     

    Regards

    Allan

     

    Tuesday, January 15, 2008 7:59 AM
  • You can find the following MSDN article detailingTransport & Message seucirty comparison.

     

    http://msdn2.microsoft.com/en-us/library/ms733137.aspx

     

    Hope this helps

    Sara

    Tuesday, January 15, 2008 8:14 AM
  • What I don't understand is how point-to-point is an issue.  Where are the points that the traffic using SSL would be considered unsecured?

     

    For example in a B2B over the Internet scenario, when would multiple hops come into play? It can't have anything to do with the various servers, switches or gateways the traffic might pass over in routing to the end destination, right? Because they can't decoded the SSL traffic. So exactly where might the SSL traffic be decoded and be in the clear?

     

    Seems like this can't happen until it hits the server that is doing the SSL encryption/decryption.  And isn't that server within one of the 'B's in B2B?  My point being, don't I then have some level of control over all of the 'points' in point-to-point, and thus have the ability to make SSL as secure or insecure as I see fit?

     

    Am I missing glaring point here?

     

    Tuesday, January 15, 2008 9:59 PM
  • If you have soap level router between your client/server, than your soap intermediaries can see your messages if you only use transport security. If you want it to be fully secure you will need RM in this case.

     

    However, if you have only client & server (low level network routers are fine, as they are transparent), then you are fine with transport security.

     

    Hope this helps,

    Sara

     

     

    Thursday, January 17, 2008 1:14 AM
  • Hmm, so the term 'soap level router' is not something I'm familiar with.  Is this something that might exist out in the wilds of the Internet and get in my way without me being aware of it, or is it something that might be installed at either end of the B2B scenario, and thus under my control (or at least under my potential influence)?

     

    What I'm trying to get at here is just how much of the drawback to SSL security (point-to-point) is under my control and how much is completely up to the vagaries of the Internet?

     

    Thursday, January 17, 2008 1:23 AM
  • Great questions George Wink
    Anybody willing and really able to answer those?


    Thursday, September 11, 2008 2:56 PM
  • Sorry for bumping this old thread, but I have exactly the same questions here - and for a specific reason. I'm looking at creating a LOB application using Silverlight and WCF. Silverlight only supports Transport Security, not message security, and this needs to be an Internet application.

    I can't work out if the lack of message level security means I have to abandon silverlight as my UI (or figure out how to manually implement message security on the silverlight side) as I can't figure out - for the same reasons as Curious George has posted above - what level of risk is involved in just using Transport security over HTTPS.

    Does anyone have any answer to this question?

    Curious George said:

    Hmm, so the term 'soap level router' is not something I'm familiar with.  Is this something that might exist out in the wilds of the Internet and get in my way without me being aware of it, or is it something that might be installed at either end of the B2B scenario, and thus under my control (or at least under my potential influence)?

     

    What I'm trying to get at here is just how much of the drawback to SSL security (point-to-point) is under my control and how much is completely up to the vagaries of the Internet?

     


    Cheers,
    Greg

    Wednesday, March 4, 2009 12:21 PM
  • Greg, since nobody answered to your question yet, I try to show scenarios which will not work with transport security. I hope, someone will jump in to give you more detailed information or correct me if I'm wrong.
    The key point is that when using transport security the whole message is encrypted. This means that soap headers as well as the soap body (which contains the ultimate message) are encrypted.
    In case of message security by default the soap body is encrypted but the soap headers are not.
    If you have any intermediate on the way from client to service which has to read the soap headers, you cannot use transport security since the headers are encrypted.
    An intermediate can be an XML firewall which is analyzing the soap headers or an XML router which uses routing information which may be contained in a header. If you are sure that there are no intermediates on client and service side you can use transport security.

    Regards,
    Ulli
    Monday, March 9, 2009 11:24 AM