I am designing a mobile application which is supposed to interact with a remote server through the HTTPS protocol. This means that the system will manage to encrypt messages and keep the communication confidential by using a SSL certificate.
Well, I would like also to provide an authentication method in order to protect the system from external attacks and make it accesible only by users with valid credentials.
I'm now wondering if Digest HTTP Authentication (http://php.net/manual/en/features.http-auth.php) could be a good idea or not.
I guess so, especially because I think there should be no particular risk since that way I should manage to combine encryption and authentication.
However, I've read somewhere that if I use SSL, HTTP basic authentication is secure enough. Is that true? What do you guys think about that?
Do you guys by chance have any suggestion?
Thanks a lot!
Related
I have a Client-Server-Application, which allows users to run any code on the server over network. I want to protect the user from connecting to some other server, that behaves like the real thing, but steals passwords, how can I do that?
Neither the Server nor the Client can be expected to have internet access, the certificate authority is out of the question. Is there any other way to verify that it's my code I'm talking to, even if someone gets the source code?
The simplest solution is using SSL with a self signed certificate. Then hardcode the server's certificate into client. Most SSL libraries offer some way to roll your own certificate validation logic, or change the collection of valid CAs.
This assumes you can keep the server's certificate secret.
In principle SRP could be an alternative. But you should not implement it yourself, since it's very easy to make subtle mistakes that appear to work, but make the system insecure. Some SSL libraries, such as GnuTLS have support SRP.
Is your attacker likely to gain root access to your real server? If not, then you can establish a self-signed certificate (as suggested by CodesInChaos) and rely on operating system permissions to prevent unauthorised users from reading the private key file. You can then be confident that your clients are only connecting to your real server (via SSL).
If an attacker can gain root access to your real server, you have many problems to deal with. Firstly, the attacker can read process memory at will, so any sensitive materials exposed in server memory (such as the passwords you mention) will be accessible. Also, the attacker can steal your private key and establish their own server (although why would they, when they can simply snoop on your real server memory).
I run an asp.net 2 application and am looking for a way to have users upload files from my web app. The main issue here is that I want this to be secure. What is the best way to accomplish this?
What do you mean by secure? Secure can mean anything from HTTP Authentication to TLS/SSL data encryption.
If you want the connection to the server to be "secure", using SSL will encrypt the data transmitted between the client and the server.
Using e.g. HTTP Authentication, only the people who has the correct credentials will be able to access your pages, but people sniffing the network packets will not have a hard time viewing the data transmitted unless the connection is encrypted.
What I suspect you would want, if this should be an application with an above average security level, is to use ASP.NET Forms Authentication along with SSL using https.
There is a similar solution.
But it is for php. You may rewrite the code for checking file type.
Basically, I'm using a remote object that access to a secure EndPoint. This
EndPoint is located into my server. It means that my channel is a
SecureAMFChannel. If I accept the certificat by going directly to this URL with
my browser, then I'm able to run my flex application and to exchange some data.
However, if I'dont go to this url to accept the server's certificat, and launch
my Flex application, the remoteObject is not able to accept the certificat. And
of course, any information can be exchanged.
My problem is, how to accept automatically a certificat in a Flex application.
Do I need to configure something to accept it? Maybe my manipulation is not
correct.
My certificat is self-signed, do you think that this problem could be solved by buying a Certificat signed by a CA?
Could you tell how to solve this?
Thank you very much,
Bat
You can't accept a self-signed certificate in Flex. The Flash Player trusts only those CAs that are trusted by the browser.
So, either add your own CA which you used to sign your certificate to the trusted CAs of your browser or buy a certificate from a well known CA. I'd strongly advise you to do the latter since using self-signed certificates is more or less as insecure as using no SSL/TLS at all.
I've been looking around and haven't been getting very far in my research of WCF security. I have a low-risk service I want to create so I just want some basic security required for client's on different servers outside of the domain to be able to use it.
What's the easiest way in WCF? Is it just through the use of certificates?
Check this, it covers many security scenarios, use whichever suits your need.
And for authentication purpose you can easily opt Username security, where you just need to pass user name and password.
Easiest way to simply encrypt the transmission is if you're just using net.tcp binding, then you can turn on Transport security or Message security without needing to set up a certificate.
With WsHttpBinding message-level security (contents of the message are encrypted) is enabled by default and doesn't require an SSL cert. And if the clients are on the same Windows network then it'll use Windows Authentication and credentials by default, too, so you should be able to enable Transport security without needing an SSL cert there, either.
If you want to expose your service over HTTPS to the public internet then you'll need to obtain an SSL certificate and bind it to the port on the server that the service runs on, using httpcfg.exe (comes with Windows Server).
I have a web service with several web methods, each web method requires client machine to send their MAC Address and the server will validate this client base on this information (if not valid then return error) before proceeding to further operations. The communication between client and server is HTTPS. I only have about 20 clients or so. The question is is my way of doing this right/secure or not? If not then is there any simple way to do this?
Thanks,
It depends on your security requirements, there is no one definition of "secure enough". As others have said, the MAC can be spoofed, and is in effect just a shared secret/password. However, that is sufficient for many scenarios, when the confidentality of the connection is ensured by HTTPS. You need to define what threats you want to protect the system from, and how much you're willing to invest in security.
No, it's not secure because anyone who knows a valid MAC address in your database could call the web service. Of course knowing a valid MAC address in your database is unlikely possible, it's as if he knew a password.
The client can spoof the MAC address of the machines which is authorized. So, this is not secure.
Protecting your webservice through client certificates would provide better security.
Tutorial : http://www.codeproject.com/KB/WCF/9StepsWCF.aspx