6

I have a web service and we're currently hosting it in a HTTPS site.

My binding is this.

 <wsHttpBinding> <binding maxReceivedMessageSize="2000000" > <readerQuotas maxStringContentLength="2147483647" /> <security mode="Transport"> </security> </binding> </wsHttpBinding>

And it seems to work well. But my main aim is to make sure the web service requests and responses are encrypted. I don't know much about web services but is that all there is to it?

Just use HTTPS and put this line in your configuration? 

 <security mode="Transport"> </security>

Or is there more to it? How can I know if the message's sent are encrypted or not?

Improve this question

1 Answer 1

Reset to default
10

Yes that's all. The mode Transport demands transport level security which in your case means HTTPS. If you want to see that messages are encrypted you must use some network monitoring tool (Fiddler, WireShark, etc.)

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

fantastic! exactly what i want to hear!
but what security does it actually use? I.e. TLS 1.1, TLS 1.2 ?
@mmcrae - it should uses TLS by default. There use to be an option in .NET to switch to SSLv3 but I don't think anyone is using that these days as SSLv3 is not considered secure anymore! The exact version of TLS protocol is not configured in .NET as .NET is only using what Windows provides. It is Windows configuration which says what version of TLS is in use and that configuration is as I know done by changing Windows registers - eg: technet.microsoft.com/en-gb/library/…
Then I'm a bit confused since this Q&A stackoverflow.com/questions/26389899/… seems to imply that just the code change to System.Net.ServicePointManager.SecurityProtocol will allow use of TLS 1.2. Maybe here's my confusion: Is that code change all you need - regardless of Windows version/OS - if you're only concerned with out-going requests? And if you want to ensure that in-coming requests are handled with TSL 1.2, then that's when you need to be concerned with your Windows version/registry ?
@mmcrae: Sorry, my fault. This used to be the way to force SSLv3 but I didn't notice that .NET 4.5+ added Tls11 and Tls12. If this was added to .NET I expect that setting it to Tls12 is all you need to do to force TLS 1.2 protocol.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.