tags:

views:

165

answers:

1
Q: 

HTTPWebRequest, SSL end point validation and

Hi,

I'm writing an client application that has to query a URL and confirm the user is authorized to be used the client. Think of it as a very rudimentary licensing mechanism. The page on the server writes out a plain text string including some information about the user which serves as the validation. All this is done over SSL.

However, I'm a bit paranoid as to whether this "system" is secure enough. For example, if I setup Fiddler and check SslPolicyError in ServicePointManager.ServerCertificateValidationCallback, it comes off as valid. So, I can easily break the system with Fiddler. What I did notice is that in this case, the X509Certificate parameter holds Issuer:= ...fiddler2.com Now, I can check whether the certificate issuer matches what the server uses right now. But the server certificate maybe renewed with a different CA. If that happens I'd end up having to get all users to install a new client: a support nightmare.

I'd like to know,

Is this a bad system by design? As in, is SSL inadequate to guarantee enough security in this case?

or

Am I trying to validate the endpoint incorrectly and if so what's the better way to do the validation?

A: 

SSL provides transport layer security. So, in this case, if you have fiddler in between, you are really only authenticating your client against Fiddler, not against the destination server.

Also, if the server certificate is renewed with a different CA, it should not matter as long as that CA is trusted on the client. You can ask the user to confirm that he trusts the CA and install the CA certificate into the "My Computer" store, under the "Trusted Root Cert Authorities" store. Since this is a client application, it would be better to delegate all such issues to the user, and your app can just do the core stuff which is getting the token from the server.

If you dont want to have user interaction, then you can code your client so that it does not care about who issued the certificate, as long as the Name on the cert matches the domain name of the server that you are talking to.

Hope that helps.

feroze  2010-01-01 21:58:37
Hi, thanks for the reply.I'm actually worried about malicious users that use self signed certificates to by pass our licensing check to his own site: and there by returning a bogus positive response to make our system think it's valid.
scorpion  2010-01-03 13:19:14
I am not clear what your issue is? Are you worried about a spoofed client, or a spoofed server?If you are worried about a spoofed client, then you can have a registration process as the first step, where the client gets a Key. Then the client uses the provided key to communicate with the server. The key is just a token that the server asssigns, and all communication could be done over SSL.
feroze  2010-01-03 17:43:48
Yes, what you are describing is similar to what we ended up using.Thanks.
scorpion  2010-01-13 06:45:20

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?