6

I have a web service and we're currently hosting it in a HTTPS site.

My binding is this.

  <wsHttpBinding>
    <binding maxReceivedMessageSize="2000000" >
      <readerQuotas  maxStringContentLength="2147483647"   />
      <security mode="Transport">
      </security>
    </binding>
  </wsHttpBinding>

And it seems to work well. But my main aim is to make sure the web service requests and responses are encrypted. I don't know much about web services but is that all there is to it?

Just use HTTPS and put this line in your configuration? 

  <security mode="Transport">
  </security>

Or is there more to it? How can I know if the message's sent are encrypted or not?

Diskdrive
  • 18,107
  • 27
  • 101
  • 167

1 Answers1

10

Yes that's all. The mode Transport demands transport level security which in your case means HTTPS. If you want to see that messages are encrypted you must use some network monitoring tool (Fiddler, WireShark, etc.)

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • fantastic! exactly what i want to hear! – Diskdrive Jun 07 '11 at 07:14
  • but what security does it actually use? I.e. `TLS 1.1`, `TLS 1.2` ? – Don Cheadle Mar 09 '16 at 14:49
  • @mmcrae - it should uses TLS by default. There use to be an option in .NET to switch to SSLv3 but I don't think anyone is using that these days as SSLv3 is not considered secure anymore! The exact version of TLS protocol is not configured in .NET as .NET is only using what Windows provides. It is Windows configuration which says what version of TLS is in use and that configuration is as I know done by changing Windows registers - eg: https://technet.microsoft.com/en-gb/library/dn786418.aspx#BKMK_SchannelTR_TLS12 – Ladislav Mrnka Mar 09 '16 at 17:25
  • Then I'm a bit confused since this Q&A http://stackoverflow.com/questions/26389899/how-do-i-disable-ssl-fallback-and-use-only-tls-for-outbound-connections-in-net seems to imply that just the code change to `System.Net.ServicePointManager.SecurityProtocol` will allow use of `TLS 1.2`. Maybe here's my confusion: Is that code change all you need - regardless of Windows version/OS - if you're only concerned with out-going requests? And if you want to ensure that in-coming requests are handled with `TSL 1.2`, then *that's* when you need to be concerned with your Windows version/registry ? – Don Cheadle Mar 09 '16 at 18:33
  • @mmcrae: Sorry, my fault. This used to be the way to force SSLv3 but I didn't notice that .NET 4.5+ added Tls11 and Tls12. If this was added to .NET I expect that setting it to Tls12 is all you need to do to force TLS 1.2 protocol. – Ladislav Mrnka Mar 11 '16 at 10:34