如何安全地从我们的网站下载最新的XML文件?
[英]How to download latest XML file from our website securely?
问题描述
We're writing a console app which is to be installed on client's machines. 
我们正在编写一个将在客户端计算机上安装的控制台应用程序。 It's possible we'll want to update an XML file used by the app. 我们可能需要更新该应用程序使用的XML文件。 How can I ensure the file is downloaded safely from our servers, eg no malicious files instead? 如何确保从我们的服务器安全下载文件,例如没有恶意文件?
I presume the app would call our API to get the latest version number. 我认为该应用程序将调用我们的API以获取最新版本号。 If its newer than what it has, it would download this XML file from the specified URL. 如果它的版本比现在的版本新,它将从指定的URL下载此XML文件。 However doesn't this make it vulnerable to man in the middle attacks or similar? 但是,这难道不使它容易受到中级攻击或类似情况的攻击吗? I want to ensure our app is not responsible for downloading a malicious file (eg could be a malicious exe file). 我想确保我们的应用程序不负责下载恶意文件(例如可能是恶意exe文件)。
Any help/guidance would be appreciated! 任何帮助/指导将不胜感激!
2 个解决方案
解决方案1
2 已采纳 2011-12-16 13:52:08
You need to sign the XML file with a private key on your server, then verify it on the client with a public key embedded in your app. 您需要在服务器上使用私钥对XML文件签名,然后在客户端中使用嵌入在应用程序中的公钥对XML文件进行验证。
This will only help if you have a secure mechanism to deliver the initial app with its public key (eg, HTTPS) 这仅在您具有安全的机制来交付带有其公共密钥的初始应用程序(例如HTTPS)时才有帮助
解决方案2
1 2011-12-16 13:55:03
Serve the file over https and make sure the client checks the certificate. 通过https提供文件,并确保客户端检查证书。 That way you're sure the file comes from the correct server and is not changed somewhere on the line. 这样,您可以确定文件来自正确的服务器,并且在行中未更改任何位置。 Assuming you keep your server secure that should be enough to be sure you get the correct file. 假设您确保服务器安全,那足以确保获得正确的文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.