Jump to content

  • Log In with Google      Sign In   
  • Create Account

#Actualhplus0603

Posted 01 May 2013 - 05:28 PM

"holding off on secure sockets" is the wrong solution.

There are two levels of security:

1) You don't really care if a determined man in the middle can read the data. Such a man in the middle must have access to the wires to snoop on the network (or an open wireless network.) At this point, XOR encryption, or no encryption, or your own cryptosystem based on hashes, is approximately the same level of security. Spending any time on this is time you don't have to spend on more important things, so don't do it.

2) You care about determined men in the middle (the most common being open wireless network sniffers.) At this point, you use TLS. If you can't get the Microsoft TLS wrapper to work, then use a library like openssl or whatever.

Note that, to guard against men in the middle, you have to also do remote host authentication, which requires you to get a SSL certificate. You can create a self-signed certificate, and provide the public part of that with your installed client, if you don't want to pay for a "real" SSL certificate.

(I'm sloppily using "SSL" and "TLS" interchangeably above, whereas you really should be using TLS for everything these days.)

#1hplus0603

Posted 01 May 2013 - 12:34 PM

"holding off on secure sockets" is the wrong solution.

There are two levels of security:

1) You don't really care if a determined man in the middle can read the data. Such a man in the middle must have access to the wires to snoop on the network (or an open wireless network.) At this point, XOR encryption, or no encryption, or your own cryptosystem based on hashes, is approximately the same level of security.

2) You care about determined men in the middle (the most common being open wireless network sniffers.) At this point, you use TLS. If you can't get the Microsoft TLS wrapper to work, then use a library like openssl or whatever.

Note that, to guard against men in the middle, you have to also do remote host authentication, which requires you to get a SSL certificate. You can create a self-signed certificate, and provide the public part of that with your installed client, if you don't want to pay for a "real" SSL certificate.

(I'm sloppily using "SSL" and "TLS" interchangeably above, whereas you really should be using TLS for everything these days.)

PARTNERS