Transport Security

patterns & practices Developer Center

If your WCF application passes sensitive data over networks, consider the threats of eavesdropping, tampering, and unauthorized callers accessing your endpoint. In an Intranet scenario where you have control over the intermediate systems, consider using transport security.

Consider the following guidelines when choosing transport security:

Each of these guidelines is described in the following sections.

Use transport security when possible

Transport security secures the client-server communication channel by using Secure Sockets Layer (SSL) over HTTP and Transport Layer Security (TLS) over TCP. Transport security is transport-dependent and does not require that the communicating parties understand XML-level security concepts. This can improve interoperability.

Consider that, if you are using transport security, you cannot use Service Credential Negotiation or authentication types such as username or issue token (CardSpace).

Use the following criteria to decide whether or not to use transport security:

  • Point-to-point. Transport security supports point-to-point communication and does not support intermediary scenarios or protocol transition.
  • Streaming. Transport security can support streaming data scenarios.
  • Binding limitations. Transport security does not work with wsDualHttpBinding.
  • Authentication limitations. Transport security does not work with negotiation, username, issue token (CardSpace), or Kerberos direct authentication.

Additional Resources

If you need to support clients in an intranet, use transport security

Use transport security when your clients are deployed within an intranet because it provides point-to-point security and better performance compared to message security.

In an intranet, you have control over the communication between client and service, and very few chances of having any intermediaries that might break the transport security. You can use netTCPbinding for better performance than HTTP bindings. By default, netTcpbinding uses binary encoding and transport security.

Additional Resources

If you need to support interoperability with non-WCF clients, use transport security

If you have non-WCF clients and they do not support the WS-Security specification, use transport security. Because message security requires the client to understand and support WS-Security specifications, it will not work with non-WCF clients.

Additional Resources

Use a hardware accelerator when using transport security

Transport security can benefit from SSL hardware acceleration that is performed on a network card in order to avoid burdening the host machine CPU with the encryption and decryption of the messages.

Transport security requires both the client and service to negotiate the details of the encryption. This is done automatically as part of the communication protocol in the respective binding. Hardware acceleration provides high throughput and may even make the security overhead unnoticeable.