Our application is using client/server architecture, it's running on windows.
Our users need to login the client with user/password via http(or https in future), and then obtain their permissions.
Previously we use http protocol, so the contract between client and server could already been observed by some clients.
Now, we enabled https (using Let's Encrypt) protocol, but still, I don't know if it is reliable in terms of avoiding user from hacking the authentication process.
Here's what I can see potential way to hack the protocol by using a fake server:
- Make a ip to host(real hostname) mapping in hosts file
- Make a fake http server which uses above ip, and serves same auth API as our server does.
The client uses cpprestsdk to send http requests.
Since the web server is public, user could easily get a ca using browser like chrome, seems that it is easy to intercept the https request/response by using wireshark.
My question is that is my assumption valid? If so, how could I make more changes to prevent this in further version.
You question is valid and https is prone to man-in-the-middle attack (MITM). You need to use the HTTP Public-Key-Pins response header. It associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. You can read details here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins