How do I verify the host server's certificate in Silverlight?

Question

I am concerned with MITM attacks in the Silverlight application I am writing. The site will be running over SSL. If my site is the victim of a MITM attack, as far as I know, my only defense right now is the warning page the browser displays when the site's certificate is untrusted. Since it is only a browser, the best it can do is simply warn the user and then let them through anyway. User's can be click happy, and tend to not read things. Therefore, chances are they will read this warning, scratch their head, and continue on to the site. My thought was that since I am writing a robust Silverlight application, I should be able to either detect if the browser is seeing a certificate error, or perform that same verification that the browser performs. Then if I determine that there is a problem, I can simply lock down my entire app so that the user does not expose any critical information to the MITM. The problem that I am having is that I can't seem to find the right classes in Silverlight's limited subset of .NET to do what I need to do. Does anyone know how I can accomplish this goal, or a different way around this issue?

Answer 1

This isn't possible as far as I know - Silverlight uses the browser's networking stack, and as a result relies on its networking warnings and security infrastructure.

Silverlight 3 added a new networking stack, but I believe that in general the same applies: your host server's certificate is validated when the .xap (Silverlight application) is downloaded by the browser, and not something you can check or interact with in code.

Answer 2

IMHO You may check the certificate that is stored locally since browser will save a copy of it after SSL request. Check out this article. I hope it will give you some hints