2

Accrding to the following quote, WCF transport security provides point-to-point security:

Transport security is used to provide point-to-point security between the two endpoints (service and client). If there are intermediary systems between the client and the server, each intermediate point must forward the message over a new SSL connection.

  1. What is meant by SSL providing point-to-point security?

  2. Is SSL communication still possible between client and server, if intermediary system ( located between the client and the server ) forwards the message over a non-SSL connection?

  3. Assuming it is possible ... I don't see why intermediary system forwarding messages over a non-SSL connection would provide less security, since messages are already encypted by original sender ( which is either client or server ) and thus can't be decrypted by an intermediary systems?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
Jacky SSIS
  • 21
  • 1
  • Follow these answers: http://stackoverflow.com/questions/5673283/wcf-transport-vs-message/5673867#5673867 , http://stackoverflow.com/questions/4679235/wcf-service-certificates-and-message-security-with-username-authentication/4679924#4679924 , http://stackoverflow.com/questions/7201536/while-using-https-protocol-who-encrypts-the-message-the-browser-or-the-network/7201785#7201785 I believe they will answer your questions. – Ladislav Mrnka Aug 28 '11 at 20:12
  • possible duplicate of [WCF Transport security weakness](http://stackoverflow.com/questions/3767660/wcf-transport-security-weakness) – Kirk Broadhurst Aug 28 '11 at 23:20

1 Answers1

0

I've already answered a practically identical question:

WCF Transport security weakness

If you have any additional questions, ask away.

Community
  • 1
  • 1
Allon Guralnek
  • 15,813
  • 6
  • 60
  • 93
  • 0down vote Hi Allon Guralnek ,suppose there is a load balancer between client and service? why cant we establish a SSL connection between client and service directly? – Jacky SSIS Aug 29 '11 at 01:56
  • Why transport security cant play like the message security" The receiving end eventually forward the encrypted message to the intended recipient "? that is to say, why cant the receiving end just forward the encrypted message to the intended recipient ? – Jacky SSIS Aug 29 '11 at 02:01
  • @Jacky: You can establish an SSL connection through a load balancer if you set up the server behind with a certificate issued to the load balancer's address. – Allon Guralnek Aug 29 '11 at 17:23
  • SSL encrypts the data flowing between two connected computers at a low level. It is not aware of concepts such as sender, recipient, message, and does not provide a mechanism for storing messages, delivering them, retransmitting them in case of failure or unavailability, verification of delivery, etc. Message based security is much higher up the protocol stack, and knows which parts of the message to encrypt (the body) and which not to encrypt (the recipient), so that the message can be delivered successfully without all the 'post offices' requiring the ability to decrypt the message. – Allon Guralnek Aug 29 '11 at 17:34