I recently ran into a security message warning our users the application was mixing HTTP modes, i.e. running under HTTPS but making one or more calls under the hood over HTTP. You can imagine my surprise. After some research two articles ( 1, 2 ) explain what was likely going. After some thought and a code review I realized it was likley our Silverlight client configuration causing the mixed mode. It was .. so let me expalin.
The application leverages DevExpress Silverlight RichText Editor ( 10.1.5 SL Suite ) to provide a word like editor in the browser for managing correspondence templates. The SL suite we are using requires Silverlight 3.0 but will work with Silverlight 4.0 as well ( MS designed SL 4.0 to be backward compatitable with SL 3.0 THANKS! ). The application hosts the SL control in an ASP.NET 3.5 application. The SL application is launched using an SLDriver.aspx page passing information to the silverlight control via querystring values. Once the SL application is launched the client version is checked, if the server xap package is more recent or does not exist on the client the package is download to the client machine. Within the xap package a client configuration file exists defining the service model bindings and service endpoint ( ServiceReferences.ClientConfig). In our case we are pointing the to an ASP.NET Web Service endpoint the application will use to send and received data. JSON is our data exchange medium of choice between the ASP.NET Webservice and Silverlight applicaiton.
The highlight section defines the client endpoint, basically the URL of the ASP.NET Web Service the SL application will communicate with for all data exchange. Please notice the default is to communicate over HTTP, binding is basicHttpBinding using SOAP. If we want, there is an option to add a customBinding type but that is out of the scope of this blog post ( read more here.aspx) ). In our scenario, every communication from the SL application to our ASP.NET Web Service will be over HTTP using SOAP messages.
The ASP.NET website will be deoloyed over HTTPS not HTTP. Meaning all communication for this site is expected to be over HTTPS. In our case, the following security warning message seen below is presented to the client. Indicating our application is communicating in mixed mode, HTTPS and HTTP. IE 7 and IE 8 are smart enough to capture this security risk, asking the user weather or not to proceed. IE is not expecting our application to communicate in the background over HTTP. You can read more details on this behavior here.
In most cases tools like Fiddler can capture the HTTP/S requrests to help determine what requests in your application are occuring over HTTP. In our case it was clear part of the issue was the hardcode HTTP reference in the SL application ServicesReference.ClientConfig.
The solution is to change the security mode for the service model binding defined in the ServicesReference.ClientConfig. The security mode is based on the BasicHttpSecurityMode.aspx) enumerations ( None, Transport, TransportWthMessageCredential, TransportCredentialOnly ). In our case, BasicHttpSecurityMode.Transport is sufficent, security is provided over HTTPS with SSL certificates configured. The HTTPS will protect the SOAP messages. To implement this in the ServicesReference.ClientConfig do the following:
- Ensure Web Site hosting ASP.NET application is configured to use SSL, port 443 with a certificate.
- Ensure the ASP.NET site can be hit using HTTPS.
- Updated the client endpoint address attribute url in ServiceReferences.ClientConfig on the Server in *.xap package to use HTTPS.
- Updated the service model bindings basicHttpBinding security settings to use Transport mode.
If you are hosting silverlight application in an ASP.NET web application hosted over HTTPS ensure your ServicesReference.ClientConfig is configured to use service model bindings basichttpbinding security mode of Transport and your client endpiont address URL is using HTTPS. For additional information on configuring web service usage in Silverlight clients.aspx).