Why is transport security only hop to hop?

I have read at several places that transport security is only hop to hop (vs. endpoint to endpoint), and thus has limited use in internet scenarios where there may be several hops in-betwe开发者_StackOverflow中文版en your endpoints. First, is this correct? Second, why is transport security only hop to hop? What is preventing the intermediary nodes from simply relaying what they have gotten from their respective receivers?

what they mean when they say that transport security provides only hop-by-hop protection is that at the intermediate steps, the incoming data stream is unencrypted and the intermediary can see the message in plain-text if it so wishes. The intermediary does encrypt the message again before passing it over to next node. So if the intermediary nodes are trusted nodes (your own servers) there is no harm in using transport security, but if the intermediary nodes are not owned by you, these nodes can see the plain message and your data is vulnerable.

This brings me to the question: what are intermediary nodes? Are these the nodes specified in clientVia? So if I don't have any clientVia's (as is mostly the case) can I safely use transport security without the need for message-level security?

References:

http://www.silverlighthack.com/post/2008/12/10/WCF-101-Understanding-Transfer-Security-Visually.aspx. There is a nice diagram here, but per my understanding above, I think part of it is wrong.

http://msdn.microsoft.com/en-us/library/ff647370.aspx