Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I have been asked to develop a system that collects data from a Sql Server database and send that data in "some" format to a client as real-time as possible. The data is basic contact forms from a .net website. Names, phone numbers, email. No SSN type data.
The only parameters I know about the project are:
The client will probably want multiple ways to consume to data.
Excel, Rss readers, lead management systems, etc.
The client has
expressed zero concern for security.
I am not going to just ignore
security because the client doesn't care.
Full Disclosure: I am NOT a security expert.
I want to use some type of secure rss/xml feed because that would seem to offer the most options for the client to consume and it would be as real time as possible. However, many of the posts on this topic here at SO seem to suggest even with basic authentication and SSL, you are asking for trouble.
I could setup up a secure FTP download, but this doesn't seem to make sense as it would require the client to constantly check for incoming contact forms/leads.
If all else fails I could just email CSV files every 2 or 3 minutes but this does not seem very good either.
I guess my main question is: Is there another way I am missing or is a secure Rss/Xml feed OK for this application?
Thanks.
IF the client is known then you can secure this rather good with SSL.
Use SSL not only on the server side but on the client-side too by requiring the clients identify themselves with a certificate... that certificate is installed once on the machine of the client/boss/whoever and made known to your server.
For some information on how to do this with IIS see:
http://support.microsoft.com/kb/315588/en-us
read client certificate from httprequest C#
http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm sorry if this is the wrong place to put this, but since I normally code in C#, and my potential solution would involve using C# I figured this would be the best place to start.
I've been given a task at work to allow our customers the ability to transmit confidential record information from their office to our in-house, or possibly a new cloud-based, server.
I have been rather adamint that to transmit said data, a SSL certificate must be aquired by us through a third party. But I'm wondering if that really is true.
The more I researched SSL certificates the more I've come to realize that all they really are is one company vouching for another. The encryption (even on an expired certificate or on a self-signed certificate) works and the encryption is just as secure as one that isn't. Sure, the user is presented with nasty icons and red screens showing that "hey! this may not be safe!" But if the user doesn't visit a "https" prefixed website and only visits a "http" website, what would be wrong with encrypting data client-side, submitting it to our server, decrypting it server side and vice-versa?
Encryption is encryption right?
Or what if a WinForms app was created that did the same as above? Encrypt data, submit it to our servers and the servers decrypt it.
I just can't justify paying thousands of dollars a year to have Verisign, or whoever, issue us a certificate when 99% (I'm willing to bet) of the users on the internet don't even bother checking the validity of the certificate.
I obviously want to make sure everything IS secure, and I'm not downplaying the role of SSL certificates or keeping things secure, but I just fail to see the logic behind aquiring one, if the same type of encryption can be achieved in-house with better control and, if you ask me, better security.
Any thoughts or opinions?
You need to learn about MITM attacks, which require some form of authentication to prevent.
If you just use a self-signed certificate, an attacker can impersonate your server and send his own self-signed certificates, and your clients won't know anything is wrong.
If you just encrypt data in Javascript, an attacker can easily modify the Javascript to send him a copy of the plaintext first.
If you already have a secure channel to distribute the client (eg, WinForms) app, you can use certificate pinning and your own CA instead of paying for an SSL certificate. However, this involves more work on your part (remember to handle revocations).
Also, in order to securely distribute the app in the first place, you'll still need SSL. (or an attacker can rip out all of your crypto code before it runs)
I'm not sure what kind of data you are trying to send, but you could certainly avoid using a website altogether to send and receive data. The strategy could be something like:
Client:
WinForm (data entry) -> SFTP server
Server:
SFTP server -> Windows Service -> SQL Database
You would just have to setup the SFTP service and deploy your WinForm and Windows Service securely.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm trying to create a simple multiplayer game. As I understand the main principle is to make clients communicate ether directly to each other or to the server. Since I want some game data to be available online on my website, I'm inclined to create database that users will be connected to.
Is this valid?
Is SQL/MySQL good idea to use in such scenario?
Would windows azure be any help?
Please help me. I really need some guidance here.
If you want to store game data for use on a web site, you will definitely want to store it in some sort of database. Just so you know, SQL is a querying language for databases, MySQL is a DBMS (Database Management system) that you use SQL to "talk" to.
However, you certainly don't want to store ALL of your game interaction in a database, as database operations tend to take a long time (at least as far as a computer is concerned). Your server should have some sort of socket (probably TCP) that is talking to all the clients, passing messages and so forth.
The class reading from this socket would raise events or otherwise update the database for the information you want to be displayed on your website. Windows Azure would be a perfectly valid hosting platform for the website/server app, and so would pretty much any other web hosting solution. Some of the socket code could be easier going through Azure, so that may give it an advantage when choosing your host.
Please let me know if I can provide any more information.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
What are the upsides to using an FTP server (hosted by a third party) to transfer (and maybe store) files when compared to just sending through email? The language of choice is C#.
Email looks easier to implement and if it was going to Gmail then server hosting and upkeep would not be a worry. However, I am not experienced with FTP servers and don't know how big of deal setup and upkeep is on them. All that is being sent is a bunch of text files, most likely each under 1 MB. Security is not a big deal at this point, but I am curious which is more secure without doing a lot of extra setup work.
Emailing means you have no guarantee that the file is received at the other end, or in a timely manner. Maybe this is not important for you? Emailing certainly would be easier to program up compared to FTP.
On the other hand if you use one of the many FTP libraries available for .NET then have complete control. You could include the library in a C# windows service to do the transferring seamlessly for you including exception (error) processing and notification.
Personally I'd take the opportunity to learn about FTP (its easy). You would of course require a FTP service to be setup on your server. All part of the learning.
I don't know your specific use case, but it sound like FTP is more appropriate than email for transferring and storing files. I mean it is called the "File Transfer Protocol" for a reason ;) The upside of FTP over Email is that it is designed for files while email is designed for email messages - it will be more difficult in automating the management of file attachments in email.
Setting up an FTP server is not difficult. Check out FileZilla:
https://filezilla-project.org/download.php?type=server
Sending files via FTP with C# is not difficult either. Here is question on that:
Upload file on ftp
BTW, again without knowing your requirements, there are also cloud services like Dropbox and Box.com that have APIs that might be even more appropriate for you.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have designed a virtual classroom software for students with disabilities, it is being used by some local colleges. The limitation of the software is that the students within a Local Area Network (LAN) are able to connect with server in order to receive audio/video data. I have used sockets to connect clients with server. Now the demand for the software has increased and students outside of the LAN want to connect to server using their internet connection. I am aware that I have to rewrite the server/client connectivity modules, but I am not sure how to go about connecting clients to server using internet.
I think one way is to use a vpn but I am not really sure.
Any guidance would be much appreciated. Thanks in advance.
1)First, the good news: You may not have to rewrite your client server code (at least not completely)
2)This question may be better suited for serverfault
3)Get with your IT staff to discuss your needs. Developing the app without consulting them is asking for trouble, because they're going to be the ones to ensure the proper firewall ports are opened. Even if you had a VPN, without consulting them there's no guarantee it would even work. Because you would need
4)A routable IP address. Yes, DYNDNS or something similar would work, but that introduces another single point of failure. No IT staff? Then
5)Find an IT consultant knowledgeable in basic networking, or make heavy use of serverfault.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I want to start a simple windows P2P instant messenger in C#, similar to AOL, ICQ, etc, but much more simple (plain text messages between 2 guys)
I don't need examples on how to do it. I can find them myself.
What I do need is a general idea of how instant messaging works (P2P, not multichat) without many technical details.
For example:
Will I need a main server to make the communication between user1 and user2 happen or user1 can send the strings directly to user2? How is this called?
If user1 is logged in, how does he know of an incoming message from another user (or the online status of their friends)? Does the chat client app check every X seconds with a main server?
Any clues that might help me clear the general data flow idea will be very much appreciated.
A flowchart may also be helpful if you find one to share.
Thanks in advance.
UPDATE (NEW QUESTION) - July 6
Let's say the user had successfully logged in, and the app needs now to get and populate the list of contacts (saved on my apache/php/mysql server).
How would you implement the data retrieval (important) and later population of the contacts list? Is WebClient.DownloadString[Async] a good approach? Is there a better way?
How often should the app check for updated list (online/offline statuses). Recommendations accepted.
How can I parse JSON data on C#.NET (Visual C# Studio 2010)
I will get JSON strings.
Thanks!
If you really want to build a p2p app, there should be no server. However, this is not straightforward.
There are lots of different approaches to creating a chat system, mostly involving servers. Research comet (a good solution if implemented properly, terrible otherwise), polling (checking every x seconds) or using sockets, however there are lots of issues to be considered - and caveats, particularly firewalls/nat routers. A socket solution could potentially be 'p2p', but the polling and comet ones are not.
For your use case, I would go with a simple socket solution (one side as server, one as client) and configure your router firewall by opening a port at the server end.
You could extend this so that both sides could be both servers (listening on a port) and clients, so you could both 'call' each other.
You will need to have a permanent ip, or use a service like dyndns to get this to work properly.
Update
Yes, DownloadString or DownloadStringAsync would be a fine method.
How often is really up to you. I assume that this is only for a few users from what you said in the question, so you don't need to worry about overloading the server. Once a minute sounds reasonable, but once a second would proabably be fine too if you feel that way inclined... Parsing JSON in .NET answers your final query.