[Owasp-dotnet] Application and Execution Context Identities

mikeiscool michaelslists at gmail.com
Mon Aug 7 20:35:12 EDT 2006


On 8/8/06, Eric Swanson <email at iseric.com> wrote:
>  All - Is it possible to locally install another domain's SSL certificate
> and effectively impersonate the domain without receiving certificate errors?

Well no. But it depends if you pretend to _be_ that domain (i.e. dns
poisoning, etc).


> Mike,
>
>  Storing an encryption key on the server in a hosted environment usually
> means that it is written to a file, which can be located within the web root
> itself (for many hosts).  Hosts may provide a separate, additional directory
> that is not relative to the website's root for storage.  However, this
> situation still allows your application to be copied with the appropriate
> key file and executed elsewhere.  For shared Windows-based hosting, access
> to the server's registry is rarely allowed.  The separate, private, and
> secure local directory is an excellent additional measure of securing keys.

I think you've misunderstood what I was suggesting.

I never said you should store an encryption key on the server; what do
you have is a server page that accepts a key and _decrypts_ an
encrypted message. This message allows your server to initialise
itself. I.e. it can be the database connection string that you
previously mentioned concern over.


> *I am attempting to identify multiple solutions that might allow an
> application to reliably and securely identify itself and it's execution
> context.  I am attempting to identify as many solutions as possible between
> "store a key somewhere, somehow" and "read the server's physical serial
> number".

There is no application code that can help you identify yourself.
Nothing in code can solve this problem for you. The only way to solve
it is with encryption; because any type of call can be intercepted and
handled by the environment your 'context aware' app is running on.

The most appropriate solution, imho, is to only allow the application
to start when it receives the initialisation phase. And the
initialisation phase it completed when the appropriate key is given.


> Eric Swanson
> http://www.ericis.com/

-- mic




More information about the Owasp-dotnet mailing list