What's the Best idea to implement an Anti Connection Tampering for .Net application

117 views Asked by At

what's the best way to implement an anti connection tampering for my .Net application. for example, I don't want anyone to see what my application is sending to my server.. or at least encrypt the data have been sent to the server..

I just have a simple idea popped up on my mind right now and I'm not sure if that's the right thing to do in order to make it hard to understand what is my application is sending to my server.. anyway, my idea is to use SSL certificate.. is it a good way to prevent connection tampering?

any ideas or suggestions would be appreciated..

1

There are 1 answers

0
mikalai On

The problem here is that potentially connection can be compromised in both ways - from client to the server and back. Adding SSL certification to the server wouldn't be enough and mutual authentication is required, but that means that you should issue a certificate to each of clients. But that seems to be strongest solution.

However, self-signed certificates could be used for traffic encryption only, as they could be easily hijacked - the most popular example is Fiddler's ability to capture https traffic.

As you ask for any ideas, you could be probably interested in concealing the fact of the connection at all. With some hacking it could be possible to inject some module into internet explorer, for example. So your application would talk to the module and module, using IE environment - to the server. Server can even expose https interface and pretend to be normal web server.

By the way, the article Man-in-the-middle attack contains a list of tools you can try to check if your application is vulnerable to this sort of attack.