Consuming HTTPS web service using WCF

I'm trying to consuming a client's web service using WCF. The client's web service is done over HTTPS, and I can consume it fine with the following Binding:

<bindings>
  <basicHttpBinding>
    <binding name="PurchaseOrderSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
        receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
        messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
        useDefaultWebProxy="true">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <security mode="Transport" />
    </binding>
  </basicHttpBinding>
</bindings>

However, our security team have told me I need to use Message or TransportWithMessageCredential security, because Fortify 360 complains that Transport security is too weak.

When I try Meesage I get this error:

System.InvalidOperationException: BasicHttp binding requires that 
BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the 
BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select 
Transport or TransportWithMessageCredential security for UserName credentials.

And with TransportWithMessageCredential I get the following error:

System.InvalidOperationException: The username is not provided. Specify username in 
ClientCredentials.

I've not got a username/passw开发者_运维百科ord (I can connect to it fine in my browser), so my question is:

Can I use Message or TransportWithMessageCredentials when consuming an existing HTTPS web service (without the publisher making any changes)? If so, what changes do I need to make to my configuration?

Edited to clarify question.

If you cannot get the third party vendor to add an endpoint to their service that supports message security then you are stuck. It seems they currently only support basicHttpBinding with transport level security.

Transport security is not "less" secure than message level security. Message level security means the contents of the soap message are encrypted. This allows you to either store or relay a message in a clear text way and still be assured no one can peek at the message. If all you are doing is communicating between your system and the vendor over the internet then transport and message level security are equally secure.

The basicHttpBinding only supports username and certificate message security. So one option is, if you don't have a mechanism for validating user credentials on your sysstem, is to use certificates.

<security mode="TransportWithMessageCredential">
    ...
    <message clientCredentialType="UserName"/>
</security>

The other option is to use a different binding, like wsHttpBinding which has message security enabled by default and also supports Windows and Issued Token credential types. Which of these you implement is largely dependent on your implementation requirements and environment.

Do you not have some sort of exception policy by which you can take a note of why it's impossible to implement Fortify's best recommendation?

I would think the best you can do is communicate with your webservice vendor and ask for an enhancement to support Fortify's transport guidelines.

Also: I'm suspicious that you say the web browser connects you without a credential. This probably means the system you are connecting to is a little more complex than your assumptions. different connections or different urls may be served by different servers (SSO?) or may be subject to different security policies (client certificate, etc)