A transport-level secured channels provides for:

  • data integrity (sign)
  • data privacy (encrypt)
  • communication parties identities validation (authentication)

Transport-level security has many advantages:

  • easy to implement
  • integration with existing infrastructure

Transport-level security has one disadvantage: the data is secured only between endpoints. It is not secured in the upper WCF layers, which allows, potentially, for security attacks.

Binding name Transport security details
basicHttpBinding Allows for configuring clientCredentialType (Basic, Certificate, Digest, None, Ntlm, Windows).
Allows for configuring proxyCredentialType (Basic, Digest, None, Ntlm, Windows).
Allows for configuring a realm (needed only when using Basic or Digest credentials).
wsHttpBinding Same as basicHttpBinding.
wsDualHttpBinding No transport-level security.
netTcpBinding Allows for configuring clientCredentialType (Certificate, None, Windows).
Allows for configuring protectionLevel (None, Sign, EncryptAndSign).
To programmatically set the security options, use binding.Security.Mode and binding.Security.Transport.ClientCredentialType.
netNamedPipeBinding Similar to netTcpBinding, however no client credentials can be specified (this is because WCF allows the use of named pipes channels only between processes running on the same system and thus the credentials are always the identity of the Windows processes/threads communicating via WCF).
msmqIntegrationBinding This binding can be used only when the client and the service are in the same domain (the documentation does not specify what happens if the two communicating parties are in separate domains with an established trust between them).
Allows for configuring msmqAuthenticationMode (None, Certificate, WindowsDomain)
Allows for configuring msmqEncryptionAlgorithm (RC4Stream and AES).
Allows for configuring msmqProtectionLevel (None, Sign, EncryptAndSign).
Allows for configuring msmqSecureHashAlgorithm (MD5, SHA1, SHA256, SHA512).
If Certificate authentication is used, the target queue must allow anonymous access in write mode.
EncryptAndSign protection level can only be used in a Windows domain (this is because the encryption key is the public key of the target queue and this key can only be obtain from a domain controller).
netMsmqBinding Similar to netMsmqIntegrationBinding.