If You Need to Support Clients Over the Internet, Consider Using Message Security
- J.D. Meier, Carlos Farre, Jason Taylor,
Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
Use message security when your clients are deployed over internet and you cannot rely on transport security (SSL). Message security provides end to end security.
- SSL does not provide protection for the initial client-server handshake. Thus a man-in-the-middle attack can go undetected.
- You have less control of the communication between the client and service across the Internet. There is a chance of having intermediaries which might break transport security.
The downside of using message security is potentially decreased performance due to the fact that each message much be encrypted individually. Large message packets can especially create lag. You can use wsHttpBinding which by default uses message security and
also supports interoperability as it uses text encoding.