Programming with .NET - General

Re: Re: Re: Re: Re: The most secure way to POST data to a website

adefwebserver — Mon, 21 Jul 2008 12:21:59 GMT

robhouweling:

In the method you outlined, can you explain how you determine the call is made from the Silverlight application instead of a normal aspx page?
If a hacker calls the webservice using an aspx page using the password he got, from first opening the page the normal way, he can use your webservice.

That's why I put in the IPAddress check. The hacker would have to be on your computer or using some sort of IP spoofing AND they have to do this before you logged in again and caused your temporary password to change.

You should never pass the "real" user password from the Silverlight app to the web service.

Re: The most secure way to POST data to a website

Yi-Lun Luo - MSFT — Mon, 21 Jul 2008 09:06:47 GMT

Hello, there's no way to tell if the request comes from your Silverlight application or another client. This is similar to in a classic web application, there's no way to tell if the user is using IE/Firefox or a hack browser that simulates IE/Firefox's request. But there're still a lot of solutions to enhance your service's security. I don't know PHP. But generally speaking, you should enable session on your web services, so only authenticated users can access the service. In WCF, you can use ASP.NET session, I think there's something similar on PHP. When Silverlight makes a request to the service, it will automatically send the session information, if any. It's very difficult to hack session, since each session will have a different id. Of course, you still need your users to protect their passwords. Even in a classic web application, if the hacker gets the password, he can still do anything that user can, right?

Re: Re: Re: Re: Re: The most secure way to POST data to a website

robhouweling — Mon, 21 Jul 2008 05:44:44 GMT

Hi Michael,

In the method you outlined, can you explain how you determine the call is made from the Silverlight application instead of a normal aspx page?
If a hacker calls the webservice using an aspx page using the password he got, from first opening the page the normal way, he can use your webservice.

I agree it does make it more difficult, but it's not totally secure.

Maybe I misunderstood, so please correct me if I'm wrong.

Re: Re: Re: Re: Re: The most secure way to POST data to a website

adefwebserver — Sun, 20 Jul 2008 21:44:16 GMT

I outline a method here:

Implementing "Super Tight Security"

Basically you can store the IP address when the Silverlight App is launched and then only accept requests from that IP address. That combined with a random password should make hacking your web service very difficult.

Re: Re: Re: Re: Re: The most secure way to POST data to a website

robhouweling — Sun, 20 Jul 2008 12:24:38 GMT

There is no way to be 100% certain calls are made from your silverlight app. Using a key won't help either because the code can easily be read using tools like reflector.
When you want to display such sensitive info using webservices it's probably best to let the user login first before they can access the information.

However, this is not really a Silverlight issue, but a common question when it comes to webservices.

Try this article for more info on securing webservices:
http://msdn.microsoft.com/en-us/library/aa302428.aspx

Re: Re: Re: Re: Re: The most secure way to POST data to a website

omeganet05 — Sun, 20 Jul 2008 10:04:21 GMT

I read about this. But I want to ensure that my WebService will be called only from my Silverlight app. How can I achieve this? Don't I need to use my private key to crypt the data so the server can use my public key to decrypt it?

Re: Re: Re: Re: The most secure way to POST data to a website

robhouweling — Sun, 20 Jul 2008 08:59:32 GMT

To secure it, all you have to do is call the webservice using https. Since Silverlight runs in a sandbox in the browser, the browser will handle the https for you. This is not something you need to create yourself.

Re: Re: Re: Re: The most secure way to POST data to a website

omeganet05 — Sun, 20 Jul 2008 08:55:46 GMT

Thanks! I created my PHP WebService. Everything is OK. Now I have to secure it. I want only my Silverlight app to be able to send data to this WebService. So I need a certificate. I have to include my private key in my Silverlight app and put my public key on the server. But is it secure when I include my private key? Can't it be found?

Re: Re: Re: Re: The most secure way to POST data to a website

justncase80 — Fri, 18 Jul 2008 16:35:41 GMT

That's ok, in this context a webservice is just a SOAP web service. A WSDL is the service description and this is a standard protocol. I'm not PHP expert but I"m pretty sure you can find some libraries to create SOAP webservices.

For example: http://devzone.zend.com/node/view/id/689

Anyway, you create your SOAP webservice in PHP, or Java or .NET or whatever then in your Silverlight application you can "Add a service reference" and point it to the WSDL url. From there it will know how to generate classes for you that can interact with your web service.

I believe there are also ways to interact with REST webservices (which are very common in PHP) but I'm not sure if that is implemented in Silverlight yet. It might be worth looking into at least.

Re: Re: Re: Re: The most secure way to POST data to a website

omeganet05 — Fri, 18 Jul 2008 15:38:50 GMT

It looks very easy with WebServices, but my hosting does not provide .NET content. So I have to think of a workarround with PHP. Does anybody have done something like that with PHP?

Re: Re: Re: The most secure way to POST data to a website

justncase80 — Fri, 18 Jul 2008 14:32:15 GMT

Basically you would setup a Service Reference to your webservice, only instead of using the URL:

http://localhost/MyService.svc?WSDL

You would use:

https://localhost/MyService.svc?WSDL

It should be that simple. Of course replace everything after https with the URL to your WSDL for your service.

Re: Re: The most secure way to POST data to a website

sladapter — Fri, 18 Jul 2008 14:27:31 GMT

http://silverlight.net/forums/p/16672/55418.aspx#55418

Re: Re: The most secure way to POST data to a website

omeganet05 — Fri, 18 Jul 2008 14:18:37 GMT

How can I use SSL with Silverlight? I can configure my web server to use SSL, but how to make requests from my app? Can you give me a example code (even with web services)?

Re: The most secure way to POST data to a website

justncase80 — Fri, 18 Jul 2008 13:48:10 GMT

The most obvious answer is to just use SSL. Your webservice would only communicate from secure requests, your service urls would probably change to "https". To do this you just need to have an SSL certificate and set it up for your site on your server. This is basically just a server configuration issue then a little bit of code to ensure that incoming service requests are done through https.

I'm not really sure how you would do this in PHP or apache though.

The most secure way to POST data to a website

omeganet05 — Fri, 18 Jul 2008 13:44:16 GMT

I have a Silverlight 2 beta 2 app which communicates with a PHP site, which saves the data in MySQL. If a malicious user view the headers sent by my app, he can modify them to insert malicious data in my DB. So I need to protect the commucination between my app and my site. What is the most secure approach?