I'm looking for some advice here.
I have build a multi tenancy solution using RabbitMQ in C#.
It consists of a cloud solution that is pushing messages to the client applications through RabbitMQ.
Routing for RabbitMQ is setup using a routing key like: myapp.messagestream.<customercode>
All clients connect to RabbitMQ using the same username and password. Although the client code is obfuscated, it is still relatively simple to obtain the username and password. With this, theoratically, one could "guess" any other customer id and get the stream. Obviously, this is not what we want.
The way I would like to address this is to encrypt all messages using a encryption key per customer. This way, even if you have the username and password for RabbitMQ and you guessed a correct customer id, you would still not see any usable information.
Could anyone please share there insight on the above? Does it seem to be a good idea? or am I completely gone out of my mind?
Thanks in advance.
Even if the message is encrypted, it'd be consumed and removed from the queue. I guess that's not something you want to allow.
Consider creating different users and allowing them to read only from their own queues through authorization. You can connect it to a LDAP.
EDIT:
Hiding the messages in transit is always a good idea, but that can be achieved with SSL/TLS, no need to add another layer on top of that
Related
I have the following concern about security in server-client models...
Imagine the following:
I have an C# WinForms client that wants to communicate with a server (PHP GET-POST Requests, Socket or WebSocket in a Console App C# (Net Framework) running on a Debian under Mono, instead of using ASP.NET).
The first problem that arises is that whether the server (written in PHP or C #) must have some kind of control for the anonymous requests that the client generates, for this, we will have to use some type of token generated by the server to every request.
The problem isn't related to the token (my plan is to use HTTPS (PHP) or SSL / TLS + Certificates in WebSockets (C#) for client-server communications at the network level, to avoid Spoofing or MitM).
The problem arises when the server has to give to a "client" (we need to check its validity, that the main concern) a token to allow the client do requests. It would be very easy to any client to give a token from the server (How? Replicating (inverse ingeenering) a client that makes requests to the server to try to obtain valid tokens, at least, as I plan to implement it, hence the need for help).
In what I was thinking, is to generate a md5 or sha hash for the assembly file of the client. So, if anyone tries to replicate those steps, it will be difficult. Because he/she will need to modify the source code of the assembly or make a malicious assembly and obtain the same hash by collision (this is difficult).
I do not know how efficient is this system, so I need you to guide me a bit in this aspect.
I've been looking at OAuth, and I think that this type of implementation is not the one I'm looking for, because this kind of implementations is for the user level (to avoid that another user violates the main user data), not for the client (application).
So if someone can guide on this issue it would be of great help.
You can't authenticate the client, it is not possible. Anything in the client is known to the user (attacker), any secret, anything you have there. The only question is difficulty, but anything you do, it will not be very difficult.
Also in your hashing scheme, what would you do with the hash, send it to the server? Why would a different client have to match the hash, when it can send whatever it wants (ie. the correct hash, as sniffed from the network)?
So again, because the software needs to run on the client machine, anything that runs there or is sent on the network is disclosed to the user, and he can replicate it in a different client. It is not possible to securely prevent this. Also ssl/tls doesn't help here, if you control one of the endpoints (ie.the client).
Imagine if it was possible somehow, software piracy would not be a thing - but it very much is.
I have been looking but cannot find a good answer that can help me in my case. To explain the situation, I am creating a Unity3D game which will have a multiplayer system. In order to keep the player data as secure as possible (so people doesn't cheat easily), I decided to implement a Web API 2 service that connects to a SQL Server database. I designed the Web service in such a way that only if the request contains specific data the request is processed. What I am now having problem is to design a solution that will let me send/retrieve data from the web service. I implemented SHA-512 to send the password so packet sniffers wouldn't get it in plain text, and I am planning to implement HTTPS but Unity classes makes it very hard. I thought of implementing RijdnaelManaged as a more secure algorithm for the accounts but in Unity the code is easily reverse-engineered.
Would this model be secure enough to stop script kiddies from hacking player accounts?
HTTPS
I implemented SHA-512 to send the password so packet sniffers wouldn't get it in plain text,
That's not helping for as far as your webservice goes, it now uses the hash as its password, so anybody sniffing it will still capture it.
Use https, not http to get it right.
If you really cannot: build a system where the service first issues a challenge, and where the client then "signs" that challenge and sends the signature back. That's still by far not as good as https, but it'll prevent a few things (but not e.g. a man-in-the-middle attack).
Security
If you look at analyzing the risks, you need to take care to address users of your game as well as 3rd parties.
The 3rd parties, with good passwords (good luck with that) or proper 2 factor authentication, https etc. you can cover the bases rather well. Add in some security in the webservices and you should be a good way along the path.
But you also have to deal with users of the game. And that's harder than it might seem as they could run your game in a debugger and figure out how the game communicates with the server and what it sends when, what the effects are of that etc. Nw if you have a multi-player game typically that involves virtual goods and/or currency that can be obtained and/or traded. Devious players will try to get it the easy way, so you need to protect somehow against that as well.
The easiest to do that is to move the game logic into the server and use the client only for visualizing things - but that obviously means you make much more use of server resources ...
Trusting your client is running, unmodified, and you're talking to it: you can't ...
What needs to be done for an application to be able to issue email addresses, such as user123#mydomain.com?
I'm using Amazon SES to send out emails, do they have a service for this or would this have to do with the domain registrar (GoDaddy), or both?
The client to check email would be the web application itself.
I'm using C#.Net and Mvc for that as far as development is concerned but would prefer to use existing SaaS wherever possible.
What are some good ways to go?
EDIT: I checked with GoDaddy and they can't do this at scale. I don't believe Amazon does this either. How is this done?
This would all depend on your implementation of email server host. If you are running Windows with IIS and Email Post office then users are of the host domain. You can use the admin scripts for adding users from the site in this case.
If you are using Linux and a thrid party email service, it will likely have a user interface for adding users. Howerver these implementations generally use MySQL on the backend so you can add users through script from an implementation of PHP through Apache webserver host or backend service that adds users through MySQL script.
You need a mail server. As you can see from the list there are plenty of mail servers that exist, however there are some serious leaders in the field:
According to one survey, sendmail, Microsoft Exchange Server, Postfix,
and Exim together control over 85% of market share for SMTP service in
2010.1
I strongly recommend not hosting such a server in your code (if an implementation even exists, which I couldn't find)
After configuration of the mail server (which may need some intensive investment either in time or money, since this is complicated; some mail servers are notoriously complicated) you point your domain to the mail server. Mails can now be received to the email adresses you define.
This process is complicated, and I have a feeling that your question shows you don't know exactly what you need either (In fact I would have recommended closing it as too broad). I'd recommend reformulating exactly what you need and what you have so far. Don't hesitate to get in touch with someone that may help you formulate your needs.
I have created a Private MSMQ and I am able to send messages to it. What I am now looking to do is to only allow a single user access to the queue and then send messages to that queue using that users credentials.
I am thinking about impersonating the user (I have an impersonator class) before sending the message but not sure how to do this.
any ideas on whats the best way to do this.
Oh! I am using C#.
What user will be running the executable? You can simply give that user access to the queue, and avoid impersonation altogether.
Impersonation is usually useful when you try to run different pieces of code as several different users. If you don't need several users, don't bother with impersonating at all.
I have an existing asp.net c# application for which I'd like to implement a feature that allows users to post content via email. A user would send an email to a designated address and the system would parse the email and create database entries using the email subject, body and any attached images. My proposed approach is to create a windows service that pings a pop3/imap enabled email provider to retrieve incoming emails. The service would then parse the emails using an existing library I found here http://www.lesnikowski.com/mail/. The user would be matched according to the email address in the from field to the asp.net membership and then new records would be inserted from the contents of the email for that user. Initially the windows service would run on a separate EC2 instance that I'll set up for this purpose since the current host does not permit root access. But eventually I'll probably migrate the entire site to EC2.
Before I dive in I wanted to get some feedback from you all on my overall approach and architecture. More specifically:
Is what I described above the approach you would take?
Would you recommend implementing a web service to manage the interactions between the windows service and the database of the asp.net site? Or would you recommend hitting the database directly?
If I program the windows service to
ping the email provider every 30
seconds, will that be a problem?
Do you foresee any security issues with this approach I've outlined?
What about issues with reliability (needs to be a 24x7 service)?
Additional Background --- the asp.net website is an inventory system where each entry has a name, description and optional images. From the email the subject will become the name, the body will become the description and the images are the images. If you're familiar with the Posterous blogging platform you'll have an excellent reference point for what I am trying to accomplish.
Is what I described above the approach you would take?
It would be better if you could set up an Exchange server or sth similiar where you get notifications about new emails, so you don't have to ping every 30 minutes, but I never did it this way and cannot tell you if this is even possible.
The approach itself sounds plausible, because sending emails is really easy and everybody knows how to do that.
Would you recommend implementing a web service to manage the interactions
between the windows service and the
database of the asp.net site? Or would
you recommend hitting the database
directly?
I would recommend an extra abstraction layer, because it is not much effort and improves the design. This decreases performance (shouldn't be that much), so it depends on your requirements.
If I program the windows service to ping the email provider every 30
seconds, will that be a problem?
Depends on your email provider. Normally and if they allow it: No. You should definetly ask them first.
If it's your own: You're good to go.
There can be problems however if you're doing this inside a thread and you're accessing the IMAP multiple times at the same time. You should try to avoid that.
Do you foresee any security issues with this approach I've outlined?
Yes. You can easily forge the "from" field of an email you've send. There can be issues then, if the email is known. You should definetly add some kind of extra security like sending the mail to <SaltedHashThatIsDifferentForEachUser>#example.com. (Facebook does this too for example)
What about issues with reliability (needs to be a 24x7 service)?
I see more problems with the reliability of your email provider than with your service, because as long as the emails are saved, you can still parse them later.
You should investigate the maximum size of your imap to avoid rejected mails (e.g. delete them once you've successfully parsed them)
Would you recommend implementing a web service to manage the interactions between the windows service and the database of the asp.net site? Or would you recommend hitting the database directly?
There is no need to have a web service, it will just add complexity as well as introduce another attack target on your web server. Having your windows service hit your database directly will be simpler and more secure.
If I program the windows service to ping the email provider every 30 seconds, will that be a problem?
Should not be a problem ... Email providers provide POP3 and IMAP so that external services can use them (outlook, thunderbird, iphone) so they expect them to be constantly pinged.
Do you foresee any security issues with this approach I've outlined?
As Simon stated, emails can be easily forged, providing a security vulnerability. This link discusses a hacking incident on posterous and the trade off between ease of use and security. As a CISSP, I tend to lean toward security, especially when the vulnerability very easy to exploit.
The unique, "secret" email address is a better solution in terms of security. However, it takes a lot away from your goal of simplifying the update process. It also makes your solution more complex and costly since you will need to be able to support (and programmatically create) an unique address for every user.
What about issues with reliability (needs to be a 24x7 service)?
Most mainstream email providers have outstanding availability. In regards to the availability of this solution (without the preexisting factors such as your current hardware and hosting facility), you would want to ensure the windows service was well written and included some "fault tolerance". For example, the services i have written in the past handle a few select errors caused by external dependencies (database or email being unavailable) so that it does not crash but just waits until its back online. This provides better availability since the service is ready to go when the dependency is ok again, without someone required to manually restart the windows service.
Is what I described above the approach you would take?
Due to the security vulnerability exposed by relying on the sender of the email for authentication and authorization, I would not take this approach. If the main goal was to simplify and streamline the addition of new items from mobile platforms, I would probably create a "mobile friendly" web page to accomplish this.
I just returned from a web design conference in Seattle and it was heavily focused on "non-pc" platforms. After listing their very innovative ideas and best practices for designing for the mobile industry, I can see a web app being a great solution to achieving this goal.