0

what's the best way to implement an anti connection tampering for my .Net application. for example, I don't want anyone to see what my application is sending to my server.. or at least encrypt the data have been sent to the server..

I just have a simple idea popped up on my mind right now and I'm not sure if that's the right thing to do in order to make it hard to understand what is my application is sending to my server.. anyway, my idea is to use SSL certificate.. is it a good way to prevent connection tampering?

any ideas or suggestions would be appreciated..

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Desolator
  • 22,411
  • 20
  • 73
  • 96
  • To be sure you must have a valid certificate, given by a certificate authority. You can use this certificate either to encrypt at the transport level, or at the message level. Encrypting at the transport level is the easiest, and this is usually done with SSL or TLS. In other words, SSL is a good pick. – Steven Nov 04 '11 at 08:35
  • Where is your potential temperer ? on the network or on the same device you are running on ? If you don't answer "the network" you are doomed, anti-cheat techs tried to do it for years and still don't work 100% of the time. Otherwise a public key embeded in your code with the private key on the server would solve the network attacker problem (And SSL/TLS is a good implementation to use). – Julien Roncaglia Nov 04 '11 at 08:40

1 Answers1

0

The problem here is that potentially connection can be compromised in both ways - from client to the server and back. Adding SSL certification to the server wouldn't be enough and mutual authentication is required, but that means that you should issue a certificate to each of clients. But that seems to be strongest solution.

However, self-signed certificates could be used for traffic encryption only, as they could be easily hijacked - the most popular example is Fiddler's ability to capture https traffic.

As you ask for any ideas, you could be probably interested in concealing the fact of the connection at all. With some hacking it could be possible to inject some module into internet explorer, for example. So your application would talk to the module and module, using IE environment - to the server. Server can even expose https interface and pretend to be normal web server.

By the way, the article Man-in-the-middle attack contains a list of tools you can try to check if your application is vulnerable to this sort of attack.

Peter O.
  • 32,158
  • 14
  • 82
  • 96
mikalai
  • 1,746
  • 13
  • 23