堆栈内存溢出
  简体   繁体   English

.Net应用程序与网站之间的安全通信

[英]Secure Communication Between .Net Application and Website

 原文  2014-03-17 02:07:56       c#/ security

问题描述

Recently, We developed an application that we want it's users to pay for a monthly subscription in order to use it. 最近,我们开发了一个应用程序,希望它的用户每月付费才能使用它。 So the first thing that came to our minds how to implement a secure way for our application to check for the User validity and those ideas came up 因此,我们想到的第一件事就是如何为我们的应用程序实现一种安全的方式来检查用户的有效性,然后出现了这些想法

  1. Using WebClient to enter to our website and Login using the user provided credentials : However, this might be vulnerable to MITM attack. 使用WebClient进入我们的网站并使用用户提供的凭据Login :但是,这可能容易受到MITM攻击。
  2. Using the first approach but using SSL certificate (to make sure that we are connecting to our server and not the attackers') : However, Fiddler can easily do a MITM attack and decrypt the SSL communication, which will result in the same vulnerability as the first approach. 使用第一种方法但使用SSL证书(以确保我们连接的是服务器而不是攻击者的服务器):但是, Fiddler可以轻松地进行MITM攻击并解密SSL通信,这将导致与第一种方法。

Due to the internet's lack of documentation of what we need, we had to ask here for someone to explain how could we make sure that: 由于互联网缺乏我们所需的文档,我们不得不在这里要求某人解释我们如何确保:

  1. Our application only connects to our server and not any fake hosted server (by the attacker). 我们的应用程序only连接到我们的服务器,而不连接到任何伪造的托管服务器(攻击者)。
  2. The communication is secure. 通讯是安全的。 Not altered or edited some how in order to grand unfair access to our application. 并未对某些方式进行更改或编辑,以使不公平地访问我们的应用程序。 (by sending a fake response to the app or editing the original response before the application receives it). (通过向应用程序发送虚假响应或在应用程序收到响应之前编辑原始响应)。

Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a good Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a good obfuscator in order to at least make it harder for the attacker to do so. Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a good混淆器in order to at least make it harder for the attacker to do so.

1 个解决方案

解决方案1
 1  2014-03-17 02:12:30

You can use SSL Certificate Pinning. 您可以使用SSL证书固定。

Set the ServerCertificateValidationCallback to only accept your certificate's public key, or one of its signers. ServerCertificateValidationCallback设置为仅接受证书的公共密钥或其签名者之一。 (this means you can never change certificates) (这意味着您永远不能更改证书)

This will completely prevent SSL MITM (which works by using a different certificate and making the computer trust it). 这将完全阻止SSL MITM(通过使用其他证书并使计算机信任它)。

Of course, it doesn't prevent attackers from cracking open your app and bypassing the check altogether, especially if you store local state. 当然,这并不能阻止攻击者打开您的应用程序并完全绕开检查,尤其是当您存储本地状态时。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用于网站和桌面应用程序之间实时通信的NodeJS - NodeJS for realtime communication between website and desktop application 如何与网站实现.net应用程序通信 - How to implement .net application communication with a website 2个应用程序之间的安全密码通信 - Secure password communication between 2 applications ASP.NET应用程序与Windows应用程序之间的双向通信 - Two way communication between asp.net application and windows application .NET中应用程序之间的通信 - Communication between apps in .NET .NET中程序之间的通信 - Communication between programs in .NET PHP与C#之间的安全通信 - Secure communication between PHP and C# Windows应用程序和网站服务器通信 - Windows application and website server communication 应用程序内的客户端-服务器安全通信 - Client-Server Secure communication within application 2个应用程序实例之间的简单通信 - Simple Communication between 2 instances of application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM