How do I trust an off site application
Posted
by
Pieter
on Programmers
See other posts from Programmers
or by Pieter
Published on 2012-11-08T10:40:36Z
Indexed on
2012/11/08
11:21 UTC
Read the original article
Hit count: 298
I need to implement something similar to a license server. This will have to be installed off site at the customers' location and needs to communicate with other applications at the customers' site (the applications that use the licenses) and an application running in our hosting center (for reporting and getting license information).
My question is how to set this up in a way I can trust that:
- The license server is really our application and not something that just simulates it; and
- There is no "man in the middle" (i.e. a proxy or something that alters the traffic).
The first thing I thought of was to use with client certificates and that would solve at least 2. However, what I'm worried about is that someone just decompiles (this is build in .NET) the license server, alters some logic and recompiles it. This would be hard to detect from both connecting applications.
This doesn't have to be absolutely secure since we have a limited number of customers whom we have a trust relationship with. However, I do want to make it more difficult than a simple decompile/recompile of the license server. I primarily want to protect against an employee or nephew of the boss trying to be smart.
© Programmers or respective owner