I want to add some security to a client(iPhone) - server(c#) application I'm working on, mainly to encrypt messages sent between client and server.
I know i should use SSL but not really sure what the steps i need to do in both client and server to implement it.
Can someone please give me some guidance?
I don't use HTTP protocol, i use my own textual protocol, but any way with HTTP or my own protocol how do i add ssl support? i know that in c# there is SSLStream instead of regular Stream. And on ios there is some stream settings i need to configure, i just don't know how to do it.
Host the application using SSL in IIS, then use HTTPS as the service point. [edit] Don't forget you'll need a cert.
Take the easy approach, which is allowed to go on the App Store without having to go through all the encryption law stuff. Simply use a HTTP server and a client.
C# runs the HTTP server (maybe use IIS to handle that? Maybe C# has its own software for that) and the iPhone simply uses NSURLRequest.
Easy to implement and safe, since you'll benefit from patches from Apple and Microsoft.
Update for the updated question: I did some quick research and this kept popping up: kCFStreamPropertySSLSettings - maybe it helps you. It's apparently something for NSStream that allows it to create SSL connections, or something. I'm afraid I can't help you more than that.
Related
In a Windows Service I implemented an HttpListener that will handle incoming HTTP Requests to a certain port, parse the query string, insert it in database and send a confirmation response. All works well and i was quite pleased with my solution. However, the clients said that they were a bit skeptical and asked if the same could have been done via a webpage. Like having an HTTPHandler listen to a certain port. Got me thinking. What would you do in my situation?
Go with the HttpListener/Windows Service or HTTPHandler/.aspx?
Thank you very much!
Is there any reason why you don't want to use a web server? We've implemented our own Http serving services because they are fairly unusual in the way they process the requests and would prove taxing on a normally configured IIS instance.
In your situation, this doesn't appear to be the case, so yes, I find myself wondering why you didn't go the webserver route either.
EDIT
Is there any other web facing part of your application? If not, I would concur that #Mr Disappoinment's reasoning is sound. You're only exposing what you need, which is considerably less attack surface than an IIS instance.
I would use something through IIS, simply because I think my clients' IT staffs would require a pretty significant argument for me to be telling them to install custom services on their servers. I don't know enough about the threading behavior of the HttpListener (does it use thread pools? max number of threads? queueing once a max has been hit?) to say for sure, but I'd imagine that your client has similar concerns.
I have recently created an API on my server in PHP, but I have discovered that I shouldn't use my API directly with an API key because sensitive information like that can't be held securly inside an EXE. I did some research and people recommend creating a proxy between the API and your application, but even still that can be broken into.
I was wondering, how can I make my server know if it is being accessed from my C# application, or from another source? The reason why I want to know is to stop potential hackers accessing my gateway and using it themselves.
Thanks
SSL with a login?
There is no way for you to be certain someone is using your application to access a web service. I'm in a similar boat, and the most you can do is ensure the communication channel is secure (SSL) and use a username/password or something similar. You also have to be aware that anything done on the client's computer can be compromised. So much so, that you should pretty much assume that your application will be open source to anyone that wants it.
I've some fishy application that makes HTTP requests to a website, i would like to intersect that request and send other data to the server. Is that possible in C#,java or C++?
EDIT: The application isn't mine, i just know the endpoint that it sends http requests
Fiddler might provide the functionality you need. At the very least it may enable you to see what is being sent to the web site.
in Java You can intercept request from Filter
You may want to look into using an HttpModule, whose purpose is to intercept incoming HTTP requests.
The ASP Column: HTTP Modules
Firstly are you aware of how it is connecting to the internet? For example, is it using the settings from Internet Explorer, or is it establishing a direct connection? If the latter, this may be tricky, there is no direct port forwarding as there in Linux, so you'll need some third-party tools to redirect the traffic to a server (which you can write in Java, C++ or C#, I would go for C# if you know it for pure speed of development) In that server you can intercept the request, and then create your own to actually send to the real destination.
Sounds like a cludge, but I think you're stuck with this approach due to the lack of direct port forwarding. You'll have to configure the third-party tool that you use to forward someother well known port to 80, and your server should write to this.
We have a terminal emulator (its more then just this, but for the question it best describe what it it...) Sometime ago instead of rewriting it a port proxy was introduced. the proxy listens to 127.0.0.1 loopback and takes the connection and encrypts it using SSL.
What I need to do is get the data from the local machine before it goes in to the proxy so we can check it and stop or change it. I can't change the configuration of the current setup so I need to find a way to get the data before its sent. can this be done using winsock? any other approaches?
thanks
A Layered Service Provider should do it (one is presumbably inside fiddler, so if that works for you, that's going to be quicker
You could possibly try using fiddler to listen in to 127.0.0.1
You should use some Win32 API Hook library.
Maybe EasyHook or Microsoft Detours.
I need to know if there are any tools to figure out the interface to a TCP client. My Company has purchased a 3rd party tool and we really like the Server side and most of the client side.
I would like to see if I can figure out the calls that the client side makes to the server so I can create the client side functionality we want.
I have been able to figure out what the port number and protocol that the client communicates with the server on. Since we host the server, I have full access to that too.
Any ideas on how to get hold of and execute the methods that the client app is calling on the server?
I am not that good at java, so I would like to use C#.NET if at all possible. Does that sound feasible?
NOTE: I have done something like this before (connect to a 3rd party Java Based Server with a custom .NET client) but that time I had a bit of documentation to get me started. This time I have nothing.
Any Help will be greatly appreciated.
Also, if you know better tags for this please post them as comments (or just re-tag if you have the permissions)
If you're trying to reverse engineer the protocol so you can write your own client to the server, get Wireshark. You can use it to follow the conversation between client and server.
You could attempt to decompile the library. That should give you all of the low-level info that you need.
You could also use TCPMon to grab the exact message text passed between client and server.