safety – Message encryption wcf service

Question:

Most recently I am working with wcf. There is a wcf service that is hosted in Windows services. It is currently used for the Binding basicHttpBinding security regime BasicHttpSecurityMode.TransportCredentialOnly and type of credential HttpClientCredentialType.Basic. The service implements UserNamePasswordValidator for checking the login and password entered on the client. The service itself and its clients are on the Internet. I understand that this option is not good, because all data is transmitted in clear text, it can be replaced and blah blah blah. It is necessary to provide at least data encryption, but when studying this issue I come across everywhere that if the service and clients are not on the local network, then you need to use certificates. And they accordingly need to be bought at a certification center, which I would not like to do. It is possible, but also not desirable, to use utilities for self-generation of certificates. But such certificates, it seems, have to be downloaded to the client computer, which is very difficult for the user. Tell me, is there an easier way for my case? Without certificates, or is it a utopia?

Answer:

What are you planning to defend against? If traffic from being intercepted – then you really need to look towards https, which means – without certificates can not do.

Here's what to say. Is this a commercial project or a non-commercial one? For an organization, it is better to purchase the simplest SSL certificate, it is not so expensive. Or it may already be, if you bought it "for the site", you just need to convert it.

If the project is personal, non-commercial, then why not consider the option of obtaining free certificates?

Previously, from the Chinese (WoSign) it was possible to get a wildcard for three years for free (sic !!!), I have now switched to using LetsEncrypt for small personal projects. For unix projects, they are generally incredibly good, for windows they are not very convenient because there is no official client.

You write everything correctly about self-signed certificates – yes, they need to be installed on the client computer, which is not always convenient.

Scroll to Top