I am trying to use username message security in WCF. I am trying to find out if using transport credential type of None/Anonymous will pose a definite security risk.
My concern is with the initial exchange where binary data is tunneled through using the WS-trust specification (TLS negotiation). Will this attempt to authenticate my username and password be susceptible to network sniffers, before the shared security context is established?
Any thoughts welcome.
Thanks.
<security mode="Message">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
</security>
Best Answer
According to the specs for WS-Security, the UserName token could contain both the username and the password, unencrypted. This would see this information be transferred over the wire unencrypted in the clear. Binary formatting is not a deterrent. This is generally referred to as "security by obscurity" and not a security measure at all.
Coincidently, I ran across a lot of this information when reading an article by Scott Hanselman a little while back. It hints at the issues you are having. http://www.hanselman.com/blog/BreakingAllTheRulesWithWCF.aspx
You'll definitely want to enable some transport-level security here if you intend to enable this feature.
Here's the OASIS docs on WS-Security UsernameToken. It appears to allow several scenarios, but I'm not sure what scenario that WCF uses by default: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
If you are curious, you'd want to enable message logging and inspect the message to see what's being sent. Enable message logging