So far, we’ve discussed only one aspect of security: authenticating users and authorizing tasks. Authentication is the heart of security design, but it’s not the only consideration. With a network sniffer, a malicious user could extract ticket GUIDs, usernames, and passwords as they flow between client and server, not to mention sensitive data such as credit card information. If you use integrated Windows authentication, malicious users won’t be able to retrieve passwords and account information, but they will still have easy access to any other sensitive data transmitted between the client and the server-side object. In fact, if you’re using the SOAP format, this information is sent in clear-text messages.

The only way to protect communication ...