Securing logging implementation through Silverlight integration Pack

Topics: Silverlight Integration Pack
Nov 18, 2011 at 6:34 AM

I have WCF services being consumed through a Silverlight client. I am using logging on the client side through the

Silverlight Integration Pack features. I have to do only diagnostic logging. The messages get buffered on to the

client side for batch logging. As suggested in the guidance will use HttpsTransport for sending the logs. Any

suggestions for making the logging implementation as secure as possible? Does buffering on the client side cause a

security risk in terms of the messages being accessed by someone unauthorised?

Nov 20, 2011 at 1:19 AM

"As secure as possible" is an open question.  

A good place to start is to read Securing Access to Services for Silverlight and all of the sub sections.  There is a lot of good content there.

Things to consider are not just transport security (SSL) but authentication and authorization, restricting access to service metadata.  Cross-domain calls open up a security surface area so that should be thought about/minimized where possible.  

Client side buffering would increase the security risk slightly but to my mind it would be minimal since all of the data is already in memory and, since .NET garbage collection is non-deterministic, it's not clear how long those objects would be in memory anyway.  For additional Silverlight security considerations look at Silverlight Security at MSDN as well as this good article: Silverlight, WCF, Security And Things You Might Not Know.


Randy Levy
Enterprise Library support engineer

Nov 21, 2011 at 11:15 PM
Edited Dec 8, 2011 at 1:03 AM

As an addendum to my previous post, I will add the the RemoteServiceTraceListener can use IsolatedStorage to store buffered messages.  So messages could be persisted to disk where they could potentially be accessed.  So that is more of a risk than just being in memory.  How much of a risk depends on what data is in your LogEntry's and if you are already using IsolatedStorage (and what you are storing there).

Randy Levy
Enterprise Library support engineer