WCF运输安全漏洞 [英] WCF Transport security weakness

问题描述

第2版编程WCF服务作者：Lowy，第10页，第512页。

On 2nd edition of "Programming WCF Services" By Lowy, ch 10, page 512.

Lowy谈到运输安全：它的主要缺点是它只能保证转移安全性指向点，即客户端直接连接到服务时的含义。在客户端和服务之间有多个中介使得传输安全性成为可疑，因为这些中介可能不安全。因此，传输安全性通常仅由Intranet应用程序使用。

Lowy said about Transport security: Its main downside is that it can only guarantee transfer security point-point, meaning when the client connects directly to the service. Having multiple intermediaries between the client and the service renders Transport security questionable, as those intermediaries may not be secure. Consequently, Transport security is typically used only by intranet applications.

HTTPS是传输安全选项之一，前一段如何应用于HTTPS？!!，HTTPS加密所有内容从开始到结束点的方式。此外，世界上每个电子商务应用程序都使用HTTPS，如何将其限制为内部网应用程序!!

HTTPS is one of Transport security options, How previous paragraph applies to HTTPS ?!!, HTTPS encrypts every thing all the way from start to end points. Also every e-commerce application in the world is using HTTPS, how you can limit it to intranet applications!!

谢谢

推荐答案

HTTPS从点到点加密数据，一旦数据到达其中一个点并被解密，就不会从该点开始提供安全保证。但是，中间节点无法读取信息。

HTTPS encrypts data from point-to-point, and once the data reaches one of the points and is decrypted, no security guarantee is made from that point onwards. Intermediary nodes, however, cannot read the information.

另一方面，消息安全性可以加密仅由某个接收者解密的数据，这可以是单独的来自接收端的实体。接收端最终可能会将加密的消息转发给能够解密消息的预期接收者。

Message security, on the other hand, can encrypt data to be decrypted only by a certain recipient, which can be a separate entity from the receiving end. The receiving end might eventually forward the encrypted message to the intended recipient who will be able to decrypt the message.

类比就是电子邮件。如果使用传输安全性（例如HTTPS）与邮件服务器建立连接，则可以保证从您的计算机向邮件服务器保护任何信息。但是，任何有权访问邮件服务器的人（例如服务器管理员）都可以阅读电子邮件的内容。

An analogy would be email. If you establish a connection with your mail server using transport security (e.g. HTTPS), any information is guaranteed to be secured from your machine to the mail server. However, anyone with access to the mail server (e.g. server administrators) will be able to read the content of the email.

另一方面，如果您使用邮件安全性为了加密消息，只有指定的收件人可以解密它，实际的电子邮件消息被加密（而不仅仅是你和服务器之间的通信），所以即使服务器收到消息，它仍然是加密的。只有当电子邮件服务器将您的邮件转发给您的目标收件人时，收件人才能使用自己的私钥解密邮件，从而使电子邮件在整个传递路径上保密，同时不需要发件人和收件人直接通信，因为运输级安全性所需。

On the other hand, if you use message security to encrypt the message so only a specified recipient can decrypt it, the actual email message is encrypted (and not simply the communication between you and the server), so that even once the message is received by the server, it is still encrypted. Only when the email server forwards your message to your intended recipient, the recipient can decrypt the message using his own private key, thereby keeping the email private across a whole path of delivery while not requiring direct communication by the sender and that recipient, as is required by transport-level security.

当然，邮件的某些部分必须对电子邮件服务器保持可见，例如收件人地址，因此您可能希望使用两种安全级别：邮件安全性将确保邮件服务器（或除收件人之外的任何一方）无法读取您的电子邮件内容，并且传输安全性还将确保第三方收听您与您之间的通信邮件服务器无法找到您发送电子邮件的人（除非邮件服务器向该第三方泄露该信息）。

Of course, some parts of the message must remain visible to the email server, for example the recipients address, and so you may want to use both levels of security: message security will ensure the mail server (or any party except the recipient) can't read the content of your email, and transport security will additionally ensure that a third party listening in to the communications between you and your mail server can't find out who you're sending an email to (unless the mail server divulges that information to that third party).

这篇关于WCF运输安全漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！