is there some codes to encrypt a form data through webconfig?
some sort of codes or in global.asax? im currently developing a log in for my website and i dont want to use SSL. is there some way to solve my problem?
No. The web.config file only controls how the server behaves. Between the client and the server you need to rely on the HTTP protocol.
This is exactly why HTTPS (i.e. SSL) exists. If you need to encrypt data while it is being transferred from the client browser to your web server you must use HTTPS. There are no shortcuts.
Related
We are using Web API 2.0 to serve clients in a context where SSL can't be used (no public internet access, clients can't be expected to trust a self-signed certificate). To secure content moving between the client and server, we'd like to be able to encrypt it. We're OK with un-encrypted HTTP headers (only need to encrypt payload). The question is: is there a way to insert a custom handler into both the request and response message pipelines so that we can apply a decryption as a request pre-processing step and an encryption as a response post-processing step?
We are using the built-in features of Web API to serialize/de-serialize between JSON and model classes, and don't want to have to refactor any of that existing code. So an encryption handler would have to be inserted at the very start/end of the request/response pipeline. Is this possible, and if so, what is the technique to insert custom request/response content pre/post processing?
The network is "public" in that users bring their own devices, but the network is isolated from the public internet. Clients will only use a custom application we are developing to consume our Web API service, so we can address implementation issues of a custom encryption scheme on both client and server side.
If you control the client application, you can hard-code the SSL certificate that the server is expected to return, which means that it doesn't have to validate through the normal PKI means (sometimes called certificate pinning). Most other approach will result in you attempting to re-invent SSL, but with some fatal flaw.
To be explicit, I think you are seeing a conflict between "a context where SSL can't be used (no public internet access, clients can't be expected to trust a self-signed certificate)" and "Clients will only use a custom application we are developing" where one doesn't necessarily exist. The user doesn't have to know that the certificate is self-signed, and self-signed does not always imply untrusted.
I want to send data from my C# Windows 8 App to a PHP Script on my webserver to save Highscores etc.
But to avoid Manual insertions of fictional highscore values, I think I have to en- and decrypt it.
In which way can I encrypt data in C# which I can decrypt in PHP and maybe in the other way?
Or are there other Solutions to realize it?
Standard way to encrypt/decrypt data web-transmitted data is using the HTTPS protocol. All encryption/decryption happens automatically once the client and server authenticate and trust each other after exchanging certificates.
To avoid fake data talk only to authenticated clients that are authorized to insert the scores.
So you'd have a list of trusted clients, talk to them over HTTPS and each session would start by authentication (client would prove its identity to your server).
In my opinion the key terms you should definitely take into consideration are HTTPS (SSL Certificate), REST, OAuth
You may want to start by reading the
Open Web Application Security Project (OWASP) - Authentication Cheat Sheet
After that you may find useful some followup technical questions like:
https://security.stackexchange.com/questions/3605/certificate-based-authentication-vs-username-and-password-authentication
How to build a secure and RESTful service in PHP?
Simple PHP REST server with secure user authentication and registered third party applications
...?
I am searching a good way to encrypt and decrypt user authentication data between my Android app and my ASP.NET Webservice built in C#.
I want to do a user registration on my Android app and send the authentication to the back-end server that is a ASP.NET Webservice built in C# and then every time the app calls the webservice it should send a hashed string with authentication information so webservice now what user it is.
What is the best practice for this and have i missed something, give me some ideas please!
If you just send a hashed or encrypted string, anyone that captures it, can re-send it, and authenticate without knowing the password, etc. (replay). Use HTTPS (HTTP over SSL) and you don't have to worry about encrypting the communication channel.
I have a .net web application that post data to server from javascript via jquery in association with wcf ui services. This enables a non post back modal.
Is it possible to encrypt the data being sent to the server so that using sniffing applications such as fiddler and firebug, the POST of the data cannot be viewed. I want to achieve this for security. The data will need to be read on the server side.
Any tips on this?
Any encryption performed by javascript on the client side will be reversible on the client as well. At best you could achieve some obfuscation for non-technical users.
Make the request to an ssl endpoint. The action would be https://something/action.
Setup IIS 7
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Setup IIS 6
http://www.petri.co.il/configure_ssl_on_your_website_with_iis.htm
Just use HTTPs. Whether its a "traditional" form or XHR SSL\HTTPS is possible.
Note that, with something like firebug (or Chromes debuger's network tab), you'll still be able to see the data... but that's because its part of the browser. An "external" sniffer, like Wireshark or a potential bad guy doing a man-in-the-middle attack, will not see the plain-text data on the wire (but will see encrypted data instead).
I'm working on a Project where I run a Server that is basically a .Net C# Application with a SQL Server Express DB and will now use WCF for Webservice implementation and then there are Silverlight Clients that different Companies will use to interact with this Server. How do I implement User Authentication in a good and reliable way? I've read a lot of Posts here that will user ASP on the Server side, but my Server isn't an ASP Server. Should I implement it anyway or are there any other options?
My naive thought was something like that:
Username, Password and Company is stored as a credential in the DB
The Silverlight Client asks on Startup those credentials and sends them to the Server to get a confirmation.
from now on those credentials are in every communication between Client and Server and the Server confirms them every time.
Is this to naive and insecure?
Since you're using basic web protocol, you could consider using an HTTPS channel and
1) embedding the credentials in the URL - as long as you're using HTTPS this is OK
2) getting a unique identifier back from the service on initial validation of credentials, and then requiring this identifier in all future calls - saves on the db lookup, but you should still stay in https - if you use http, then it's by definition insecure