I'm trying to understand how to send encrypted email from an ASP.NET application using an SMTP server set up on IIS. Apologies in advance if I'm not being clear - I'm fundamentally a programmer and my understanding of email is limited.
I know that the SMTP server can be configured to insist on TLS/SSL encryption. What I'm not clear about is how this works with the EnableSsl property of System.Net.Mail.SmtpClient() and the implications when sending to recipients which don't support encryption.
My goal is to ensure that emails sent to certain recipients are always encrypted, but I don't want emails to fail when sent to other recipients whose receiving SMTP servers don't support encrypted messages.
Is it possible therefore to use SSL conditionally in my scenario based on the intended recipient?
Usually mail is delivered to a mail server local to the sender, i.e. your "SMTP server set up on IIS". This mail server then looks up which servers are responsible for the recipients domain and forwards your mail to these servers.
While you can control how the connection is done between your application and your SMTP server (i.e. TLS or not) you have no control how this mail is forwarded from there on. But modern mail servers typically use TLS if the remote mail server offers support for it and fall back if TLS is not supported by the remote server.
Related
I have been reading about ssl/tls and certificates recently to enable https for one of our websites.
As far as my current understanding goes, a ssl/tls certificate verifies that we as client are connected to the correct site or not. For that the signature inside of the certificate is used to verify whether the certificate is legitimate or not. And finally to establish a secure connection algorithms like ECDHE (Elliptic curve Diffie–Hellman) are used.
My question is if I want to connect to a website say, "www.mysite.com" and I key in "www.mysite.com" into my browser address bar, I am guaranteed that I will be connected to the correct website. So what is the purpose of having a SSL/TLS certificate installed on a web server when I know that I am keying in the proper address.
Am I missing something in my understanding of how https works?
Also ECDHE algorithm does not rely on any information like public key from the certificate to establish a secure connection.
... if I want to connect to a website say, "www.mysite.com" and I key in "www.mysite.com" into my browser address bar, I am guaranteed that I will be connected to the correct website.
You are not. With a variety of techniques like DNS spoofing, ARP spoofing, hijacked SoHo routers, ... it is possible that an attacker reroutes your traffic so that it ends up at a server controlled by the attacker and not the actual server you want to. Validating that the certificate you've got from the server is the expected one protects against such attacks.
I would like to build a user management system.
I think it's not secure to send user's password from browsers to servers over HTTP.
But I'm not sure if it's secure to send message to servers over HTTPS.
Whether the password can be attack if using HTTPS
Thanks
My question is about networking. I'm just looking for a simple answer, yet I couldn't find one after 1 hour research. I know there are techniques such as Wi-Fi Hotspot, man-in-the-middle-attack, local network, echo switch, etc. But I couldn't find an answer to my specific question.
Let's say, client A wants to communicate with server B, and server B says client A must authenticate himself via HTTP basic authentication first. My question is, what happens if client A sends the authentication credentials via HTTP layer (insecure), who can read the HTTP headers that the client A sends to server B over the internet? Would it be easy to do that? Like placing a breakpoint between two arbitrary routers, which help to transfer the packets across the internet, in order to read those headers? How does it work in general?
Thank you!
PS.: I am not trying to learn and do it. I just want to know, how dangerous it would be, if the HTTP basic auth is made via the insecure HTTP layer.
Who can read the HTTP headers that the client A sends to server B over
the internet?
Your Network Provider (e.g Wi-fi hotspot Provider).
Your Domain Name System server (DNS, as 192.168.1.1).
Your Internet Service Provider (ISP).
Your Virtual Private Network if using one (VPN server).
Yourself Or a Virus.
and here comes the HTTPS (HTTP + SSL Encryption)
SSL is about communicating in a language that you and the server only understand.
How dangerous it would be if the HTTP basic auth is made via the insecure HTTP layer?
Well, from above, You can totally get that a simple virus or even a public Wi-fi Hotspot Device can capture and see all of your data if the communication was done in a plain HTTP Socket.
A Simple packet may contain all of your Device information including its basic contents as your passwords, credit cards information, The HTML form for the signup/login that you've just completed with all its data, VoIP Calls and messages being sent to the server + upcoming/received ones.
that's why we need SSL encryption and the server should have a valid SSL certificate too.
By the way, your device may have sent thousands of packets while you read this now!
Capturing the packets that your device sends or even the packets that other devices on your network send can be done through any packet capturing tool or software as Wireshark.
I know that smtp is the default protocol used to send mail. But I have read that http protocol is used by webmail(such as Hotmail, yahoo etc) to send mail from your desktop to mail server which then uses smtp to forward it to destination server. Is it correct?
No. Webmail provides a HTTP interface to the client and they might store the mails written in a database or push them via whatever protocol (http, soap...) to another server - but at the end they have to use SMTP because that's what all other mail servers speak and thus this is the way to deliver mail to recipients outside the Webmails domain.
HTTPS is widely used for security online. It offers security and integrity, but not authentication. To ensure the client is not talking to a man-in-the-middle, we have digital certificates and the PKI. It all works very well, except in the situation where the following criteria apply:
The server and client do not share a common, trusted root CA, therefore they cannot validate each other's certificates
Circumstances (eg. firewall, permissions, etc) do not permit the use of regular HTTPS protocol
The question is: can we still send secure, authenticated messages between the client and server, perhaps using Javascript?
Something along the lines of:
Client sends regular HTTP request to server
Server responds with page containing Javascript code
Client's Javascript asynchronously sends data to the server used to negotiate
Server runs some sort of script (eg. PHP) to establish the tunnel
Client and server communicate over the encrypted tunnel
I can see it being possible to send messages with security and integrity in this manner, but is it possible to authenticate without making use of the PKI, perhaps by exploiting the fact that the server can dynamically rewrite the Javascript sent to the client?
There is an issue in your step 2 - Server responds with page containing Javascript code :
how do you know someone sitting on wire is not modifying this Javascript since it is being transferred in plaintext? Basically, when X wants to authenticate Y, X should know something about Y- it could be public information such as public key/certificate or shared secret that it could verify