[英]Secure Communication Between .Net Application and Website
Recently, We developed an application that we want it's users to pay for a monthly subscription in order to use it. 最近,我们开发了一个应用程序,希望它的用户每月付费才能使用它。 So the first thing that came to our minds how to implement a secure way for our application to check for the User validity and those ideas came up
因此,我们想到的第一件事就是如何为我们的应用程序实现一种安全的方式来检查用户的有效性,然后出现了这些想法
WebClient
to enter to our website and Login
using the user provided credentials : However, this might be vulnerable to MITM
attack. WebClient
进入我们的网站并使用用户提供的凭据Login
:但是,这可能容易受到MITM
攻击。 SSL
certificate (to make sure that we are connecting to our server and not the attackers') : However, Fiddler
can easily do a MITM
attack and decrypt the SSL
communication, which will result in the same vulnerability as the first approach. SSL
证书(以确保我们连接的是服务器而不是攻击者的服务器):但是, Fiddler
可以轻松地进行MITM
攻击并解密SSL
通信,这将导致与第一种方法。 Due to the internet's lack of documentation of what we need, we had to ask here for someone to explain how could we make sure that: 由于互联网缺乏我们所需的文档,我们不得不在这里要求某人解释我们如何确保:
only
connects to our server and not any fake hosted server (by the attacker). only
连接到我们的服务器,而不连接到任何伪造的托管服务器(攻击者)。 Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a good
Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a good
obfuscator in order to at least make it harder for the attacker to do so.
Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a good
混淆器in order to at least make it harder for the attacker to do so.
You can use SSL Certificate Pinning. 您可以使用SSL证书固定。
Set the ServerCertificateValidationCallback
to only accept your certificate's public key, or one of its signers. 将
ServerCertificateValidationCallback
设置为仅接受证书的公共密钥或其签名者之一。 (this means you can never change certificates) (这意味着您永远不能更改证书)
This will completely prevent SSL MITM (which works by using a different certificate and making the computer trust it). 这将完全阻止SSL MITM(通过使用其他证书并使计算机信任它)。
Of course, it doesn't prevent attackers from cracking open your app and bypassing the check altogether, especially if you store local state. 当然,这并不能阻止攻击者打开您的应用程序并完全绕开检查,尤其是当您存储本地状态时。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.