I am concerned with MITM attacks in the Silverlight application I am writing. The site will be running over SSL. If my site is the victim of a MITM attack, as far as I know, my only defense right now is the warning page the browser displays when the site's certificate is untrusted. Since it is only a browser, the best it can do is simply warn the user and then let them through anyway. User's can be click happy, and tend to not read things. Therefore, chances are they will read this warning, scratch their head, and continue on to the site. My thought was that since I am writing a robust Silverlight application, I should be able to either detect if the browser is seeing a certificate error, or perform that same verification that the browser performs. Then if I determine that there is a problem, I can simply lock down my entire app so that the user does not expose any critical information to the MITM. The problem that I am having is that I can't seem to find the right classes in Silverlight's limited subset of .NET to do what I need to do. Does anyone know how I can accomplish this goal, or a different way around this issue?
A:
This isn't possible as far as I know - Silverlight uses the browser's networking stack, and as a result relies on its networking warnings and security infrastructure.
Silverlight 3 added a new networking stack, but I believe that in general the same applies: your host server's certificate is validated when the .xap (Silverlight application) is downloaded by the browser, and not something you can check or interact with in code.
Jeff Wilcox
2009-08-17 19:53:52
Ok, so I am at the mercy of the browser's validation. Do you see any way to essentially accomplish the same goal (preventing MITM) using another technique?
Hydroslide
2009-08-21 14:43:36
A:
IMHO You may check the certificate that is stored locally since browser will save a copy of it after SSL request. Check out this article. I hope it will give you some hints
Sorantis
2009-08-17 19:59:21
This answer doesn't work or apply to Silverlight, as the referenced article is for the full .NET framework; Silverlight's sandbox excludes this sort of access.
Jeff Wilcox
2009-08-18 05:36:46