I have read the documentation provided at MSDN, and some other posts on this site. However, its still a bit unclear whether WCF (specifically, NetTcpBinding) will actually encrypt message contents when using message security w/ certificates. Does anyone know for sure?
For instance you can specify both transport and message credentials in your config:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate"
negotiateServiceCredential="true" />
</security>
As far as I can tell the MSDN documentation implies that message security simply relies on either username/password or certificate-based authentication (negotiation), but doesn't specifically state that the message themselves are actually encrypted at the message level.
For instance if I use ONLY message security, with certificate-based negotiation, I don't think message contents are actually encrypted (ie. a packet sniffer could intercept the raw message contents — even if the service enforces authentication)?
If true message-level encryption is possible (using NetTcpBinding) how is it done in code? I believe this is related to the AlgorithmSuite, though I'm not sure,
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
binding.Security.Message.AlgorithmSuite = new System.ServiceModel.Security.TripleDesSecurityAlgorithmSuite();
Best Answer
Not sure if this fully answers your question, but according to this article TCP encrypts by default.
In other words, if you customise the configuration but use a security mode other than 'None',