Is TransportWithMessageCredential without certificate secure enough for a WCF service?

Question

I have developed a WCF self-hosted service, for which I have two basic security requirements as it will be accessed over the Internet:

• The transport layer should prevent tampering and sniffing, especially the retrieval of authentication credentials. This is what SSL does, but from what I have seen setting up SSL requires the installation of certificates (except maybe through this hack that uses plain certificate files), which I prefer not to have to do.

• The authentication layer should consist of a username/password validator.

I configured my service to use:

      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
        <transport clientCredentialType="Basic" />
      </security>

Even if the transport layer is HTTP (not HTTPS), does this make WCF create another security layer that is equivalent to SSL? If not, what is the difference in terms of security strength?

Also, is there any way to secure the meta data endpoint without using a SSL certificate (not essential but would be appreciated)?

Here is my full configuration code for the self-hosted service:

<?xml version="1.0"?>
<configuration>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup>
  <system.serviceModel>
    <services>
      <service name="MyService">
        <host>
          <baseAddresses>
            <add baseAddress = "http://localhost:8000/Services" />
          </baseAddresses>
        </host>
        <endpoint address ="MyService" binding="wsHttpBinding" contract="IMyService">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="Binding1" maxReceivedMessageSize="2147483647">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName" />
            <transport clientCredentialType="Basic" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="True"/>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="CR.Common.Services.CustomValidator, Common" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

Thank you!

Answer 1

By default, all secure WCF bindings (like wsHttpBinding) will encrypt and sign messages.

SSL mandatory use a certificate, and the hack in the link you give is hacking wcf, not SSL. Because without SSL WCF forbid the use of the basicHttpBinding (which send xml in clear) and UserNamePasswordValidator, because in this case anyone that intercept the message can get the username/password.

With WSHttpBinding you could avoid SSL and put the security on the message level.

I strongly advise you to read this article, especially the Service Credentials and Negotiation chapter:

To support mutual authentication and message protection, services must provide credentials to the caller. When transport security is used (SSL), service credentials are negotiated through the transport protocol. Service credentials for message security can also be negotiated when Windows credentials are used; otherwise a service certificate must be specified

With the UserNamePasswordValidator, you must configure a certificate on the server to allow the client the sign and encrypt each message (using the certificate's public key). If you were using Windows authentication, it'll not be needed.

Why are you so worried about certificate ?