Most recently working with wcf. There is a wcf-service that is hosted in Windows services. Currently used for binding basicHttpBinding with BasicHttpSecurityMode.TransportCredentialOnly security mode and the credential type HttpClientCredentialType.Basic . The service implements UserNamePasswordValidator to verify the login and password entered on the client. The service itself and its clients are on the Internet. I understand that this option is not good, because All data is transmitted in the clear, they can be replaced and blah blah blah. It is necessary to provide at least data encryption, but when studying this issue I stumble everywhere that if the service and clients are not in the local network, then you need to use certificates. And, accordingly, they need to be bought at a certification center, which I would not like to do. It is possible, but also not desirable, to use utilities for self-generation of certificates. But such certificates, it seems, will have to be downloaded to the client computer, which is very difficult for the user. Tell me, is there an easier way for my case? Without certificates, or is it utopia?
1 answer
What are you planning to defend from? If the interception of traffic - then you really need to look in the direction of https, which means - without certificates can not do.
Here is what you need to say. Is this a commercial or non-commercial project? For an organization, it is better to purchase the simplest SSL certificate; this is not so expensive. Or it may already be, if bought "for the site", you just need to convert.
If the project is personal, non-commercial - then why not consider the option of obtaining free certificates?
Previously, the Chinese (WoSign) could get a wildcard for three years for free (sic !!!), and now for small personal projects I have switched to using LetsEncrypt. For unix-projects, they are generally great, under windows they are not very convenient because there is no official client.
You write everything about self-signed certificates correctly - yes, they need to be installed on the client computer, which is not always convenient.
- Interception is not very critical, the main thing is that the data were not open, encrypted. The project is commercial. The service will be deployed for multiple organizations. Then a certificate is needed for each organization separately, as I understand it? In addition, not every organization has adequate admins who are ready to perform unnecessary actions. Therefore, I would like the simplest option. - Atsk
- @Atsk Check out what it means to "deploy for multiple organizations"? If you have one server at home, and several organizations are several client organizations, each has 100 computers, then no, you only need one certificate per server. If you need to deploy several servers with identical code from different organizations (and only one hundred computers of its employees from the Internet can connect to the server of the organization), then you need one certificate for each organization. - AK ♦
- In my case, the second option described by you is used: "you need to deploy several servers with identical code from different organizations (and only one hundred computers of its employees from the Internet can connect to the organization's server)" - Atsk
- @Atsk Then each organization will have to take one certificate for itself, for the domain name chosen by itself. I do not know why you are so worried about this, if you do not take very small organizations that do not have their own admin, but in general the installation of the certificate is not so complicated by today's standards. Tea, not speeding deploy. And if you leave the instructions - so generally ordinary. This is like a website, the exact same certificate, and now each office has websites. - AK ♦
- @AK, And if you still focus on the fact that intercepting traffic is not so terrible, you only need to encrypt the data, is there any options other than certificates? - Atsk