Does WCF with TransportWithMessageCredential use SSL?

Question

I'm configuring a WCF service in the intranet between a client and a server.

I've set it up for wsHttpBinding with TransportWithMessageCredentia without certificate authentication.

Am I correct that service now use ssl/tls and encrypts the messages?

Is this secure or do I need to use certificates too?

Answer 1

Yes, we should bind a certificate to the particular port, so as to secure the communication.
https://learn.microsoft.com/en-us/windows/win32/http/add-sslcert
If hosting the service in IIS, we are supposed to add an https binding to the site binding module.
The certificate is used to provide integrity, confidentially, and authentication while SOAP message security provides client authentication.
Therefore, please consider the below configuration.

WSHttpBinding binding = new WSHttpBinding();
            binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
            binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;

the service base address is https style and authenticates the client with a pair of username/password.
https://learn.microsoft.com/en-us/dotnet/api/system.servicemodel.securitymode?view=netframework-4.8#System_ServiceModel_SecurityMode_TransportWithMessageCredential
Feel free to let me know if there is anything I can help with.