[英]What's the Best idea to implement an Anti Connection Tampering for .Net application
what's the best way to implement an anti connection tampering for my .Net application. 对我的.Net应用程序实施防篡改的最佳方法是什么? for example, I don't want anyone to see what my application is sending to my server.. or at least encrypt the data have been sent to the server..
例如,我不希望任何人看到我的应用程序要发送到服务器的内容。或者至少要加密已发送到服务器的数据。
I just have a simple idea popped up on my mind right now and I'm not sure if that's the right thing to do in order to make it hard to understand what is my application is sending to my server.. anyway, my idea is to use SSL certificate.. is it a good way to prevent connection tampering? 我现在脑海中浮现出一个简单的主意,但我不确定是否要这样做才使您很难理解我的应用程序正在发送给服务器的内容..无论如何,我的主意是使用SSL证书..这是防止连接篡改的好方法吗?
any ideas or suggestions would be appreciated.. 任何想法或建议,将不胜感激。
The problem here is that potentially connection can be compromised in both ways - from client to the server and back. 这里的问题是,从客户端到服务器再到服务器的两种方式都可能破坏潜在的连接。 Adding SSL certification to the server wouldn't be enough and mutual authentication is required, but that means that you should issue a certificate to each of clients.
仅向服务器添加SSL认证还不够,并且需要相互认证,但这意味着您应该向每个客户端颁发证书。 But that seems to be strongest solution.
但这似乎是最有力的解决方案。
However, self-signed certificates could be used for traffic encryption only, as they could be easily hijacked - the most popular example is Fiddler's ability to capture https traffic. 但是,自签名证书只能用于流量加密,因为它们很容易被劫持-最受欢迎的示例是Fiddler捕获HTTP流量的能力。
As you ask for any ideas, you could be probably interested in concealing the fact of the connection at all. 当您提出任何想法时,您可能会对隐藏连接的事实完全感兴趣。 With some hacking it could be possible to inject some module into internet explorer, for example.
例如,通过一些黑客攻击,就有可能将某些模块注入Internet Explorer。 So your application would talk to the module and module, using IE environment - to the server.
因此,您的应用程序将使用IE环境与模块对话,并与服务器对话。 Server can even expose https interface and pretend to be normal web server.
服务器甚至可以公开https界面,并假装为普通的Web服务器。
By the way, the article Man-in-the-middle attack contains a list of tools you can try to check if your application is vulnerable to this sort of attack. 顺便说一句, 中间人攻击一文包含一系列工具,您可以尝试检查您的应用程序是否容易受到这种攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.