wcfsecurityencryptionwshttpbindingbasichttpbinding

WCF binding security for encryption


Here is WCF binding and security question I'm quite confused:

You are hosting a Windows Communication Foundation (WCF) service at http://www.contoso.com for a law enforcement agency. The agency adds operations to support sending biometric fingerprint data via non-buffered streaming. The service data is routed between intermediaries. The WCF binding you are using by default does not support encryption. You need to ensure that the fingerprint data is not disclosed when passed over the network. What should you do?

  • A. Use basicHttpBinding with message security to https:// www.contoso.com
  • B. Use basicHttpBinding with transport security to https:// www.contoso.com
  • C. Use wsHttpBinding with message security to https:// www.contoso.com
  • D. Use wsHttpBinding with transport security to http:// www.contoso.com

Answer is B. But I think here it says "The service data is routed between intermediaries", so message security should be favour over transport security. Well, it did say "The WCF binding you are using by default does not support encryption", but the options here do offer using wsHttpBinding, so I think both A and C will do. Can anyone tell what I'm wrong there?


Solution

  • This sentence in the question is the key:

    The WCF binding you are using by default does not support encryption

    So that means the question is implying you are using basicHttpBinding, since wsHttpBinding has WS*-Security enabled by default. You can actually inspect the calls via Fiddler. The messages are signed and encrypted using a security token by default - for the gory details - this explains the SPNEGO token that is cached on the service.

    So that eliminates C, D because of the sentence I highlighted earlier.

    That leaves A and B. I don't agree with B as MSDN itself states that Transport security only secures messages with the communication is point to point. If the message is routed to one or more SOAP intermediaries before reaching the ultimate receiver, the message itself is not protected once an intermediary reads it from the wire.

    The question also clearly says:

    The service data is routed between intermediaries

    Therefore, I beleive the correct answer is A, some WCF experts on SO may correct me.