應用程序會使用依靠傳輸模式傳送安全性的 WCF 端點。傳輸模式是最不安全的選項,應避免使用此選項。
傳輸安全性會指定由傳輸層機制(例如 HTTPS)提供的保密性、完整性和 authentication。如果采用類似 HTTPS 的傳輸模式,由于這種模式在 Internet 上廣泛應用,因此具備高性能且易于理解的優勢。其劣勢在于這種安全模式是在通信路徑中的每個中繼段上單獨應用,因而導致通信容易受到中間人攻擊。
WCF 提供兩種其他的傳輸安全模式,這兩種模式都比較可取:消息和采用消息憑證的傳輸安全模式。消息安全模式采用 WS-Security 規范來確保消息級別的保密性、完整性和 authentication。這種安全模式在傳輸方法中可提供端到端的安全性和靈活性,但會降低性能。
最后一種方法,即采用消息憑證的傳輸是傳輸與方法的結合。消息安全性用于驗證客戶端;傳輸安全性用于驗證服務器并提供保密性和完整性。這種模式幾乎與單純的傳輸安全性一樣高效。
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A3 Broken Authentication and Session Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3480.2 CAT II
[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3480.2 CAT II
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 285
[7] Standards Mapping - FIPS200 - (FISMA) IA
[8] J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher Improving Patterns and Practices:Improving Web Services Security Guide Microsoft
[9] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[10] Microsoft Delivery Network (MSDN) Microsoft
[11] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 285
[12] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 285
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3, Requirement 7.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7, Requirement 7.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8, Requirement 7.2