HTTPWebRequest, SSL end point validation and
I'm writing an client application that has to query a URL and confirm the user is authorized to be used the client. Think of it as a very rudimentary licensing mechanism. The page on the server writes out a plain text string including some information about the user which serves as the validation. All this is done over SSL.
However, I'm a bit paranoid as to whether this "system" is secure enough. For example, if I setup Fiddler and check SslPolicyError in ServicePointManager.ServerCertificateValidationCallback, it comes off as valid. So, I can easily break the system with Fiddler. What I did notice is that in this case, the X509Certificate parameter holds Issuer:= ...fiddler2.com N开发者_如何学Cow, I can check whether the certificate issuer matches what the server uses right now. But the server certificate maybe renewed with a different CA. If that happens I'd end up having to get all users to install a new client: a support nightmare.
I'd like to know,
Is this a bad system by design? As in, is SSL inadequate to guarantee enough security in this case?
or
Am I trying to validate the endpoint incorrectly and if so what's the better way to do the validation?
SSL provides transport layer security. So, in this case, if you have fiddler in between, you are really only authenticating your client against Fiddler, not against the destination server.
Also, if the server certificate is renewed with a different CA, it should not matter as long as that CA is trusted on the client. You can ask the user to confirm that he trusts the CA and install the CA certificate into the "My Computer" store, under the "Trusted Root Cert Authorities" store. Since this is a client application, it would be better to delegate all such issues to the user, and your app can just do the core stuff which is getting the token from the server.
If you dont want to have user interaction, then you can code your client so that it does not care about who issued the certificate, as long as the Name on the cert matches the domain name of the server that you are talking to.
Hope that helps.
精彩评论