1

I have read a lot of articles saying that in WCF you have two types of security one is transport level and other is message level. Transport level security must be used when you have intranet connection as it provides point to point security and underlying protocol should be SSL....

But if I search on how to secure public websites they all say use HTTPS(SSL) again SSL.

These two statements are contradictory.

Questions:

  1. What exactly is the meaning of point to point security here?
  2. If SSL is only point to point(and not end to end) then why people use it for public websites?
Billal Begueradj
  • 20,717
  • 43
  • 112
  • 130
saransh mehra
  • 157
  • 2
  • 9

1 Answers1

1

HTTPS encrypts data from point-to-point, and once the data reaches one of the points and is decrypted, no security guarantee is made from that point onwards. Intermediary nodes, however, cannot read the information.

Message security, on the other hand, can encrypt data to be decrypted only by a certain recipient, which can be a separate entity from the receiving end. The receiving end might eventually forward the encrypted message to the intended recipient who will be able to decrypt the message.

An analogy would be email. If you establish a connection with your mail server using transport security (e.g. HTTPS), any information is guaranteed to be secured from your machine to the mail server. However, anyone with access to the mail server (e.g. server administrators) will be able to read the content of the email.

On the other hand, if you use message security to encrypt the message so only a specified recipient can decrypt it, the actual email message is encrypted (and not simply the communication between you and the server), so that even once the message is received by the server, it is still encrypted. Only when the email server forwards your message to your intended recipient, the recipient can decrypt the message using his own private key, thereby keeping the email private across a whole path of delivery while not requiring direct communication by the sender and that recipient, as is required by transport-level security.

Of course, some parts of the message must remain visible to the email server, for example the recipients address, and so you may want to use both levels of security: message security will ensure the mail server (or any party except the recipient) can't read the content of your email, and transport security will additionally ensure that a third party listening in to the communications between you and your mail server can't find out who you're sending an email to (unless the mail server divulges that information to that third party

Taken from WCF Transport security weakness

Read more here https://msdn.microsoft.com/en-us/library/hh273109(v=vs.100).aspx

Answer to question 2 :

Because once it reached to the IIS Server which is hosted by the company itself/or in Data center which has all firewalls and other security measures which is hard to bypass which means no one can read your message from that server unless is can hack everywhere it saves oecerhead of tcp security.

Community
  • 1
  • 1
Yashveer Singh
  • 1,914
  • 2
  • 15
  • 23
  • I couldn't clearly understand. What about a bank website. can only SSL security(https) make it secure? or router in between can exploit the data? and also in case of email (with https), can't routers/hosts in between peep into the data? – saransh mehra Jan 20 '17 at 17:00
  • But before reaching IIS, can somebody in between see the data? – saransh mehra Jan 20 '17 at 17:33
  • yes if it is not secured then it can be seen. thts why https n ssl use so it cannot be done – Yashveer Singh Jan 20 '17 at 17:45
  • In short in case of bank website : your browser is one point and IIS server of the company website is second so https/ssl will provide you guarantee of n0 tampering in between two point . I hope you like my answer and satisfied with it – Yashveer Singh Jan 20 '17 at 17:48
  • @saranshmehra any confusion or more question ? – Yashveer Singh Jan 20 '17 at 17:54
  • it means every website's data is secure if we use https only..message level security is not required.right? But I think, I read somewhere that other hosts in between can see the data if not tamper in https..is that true? – saransh mehra Jan 20 '17 at 18:03
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/133667/discussion-between-yashveer-singh-and-saransh-mehra). – Yashveer Singh Jan 20 '17 at 18:07