Jump to content
  • Advertisement
Sign in to follow this  

avoid localhost // verify url

This topic is 1320 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi

I get a file via curl ok. Now I want to avoid users to change hosts file, so that they could place/access a copy of that file locally.

Any ideas in c++? I've tried with htaccess on the server but no luck as curl uses apparently http to get the file. So I guess I need to check

if localhost is running and if so disable loading of my file? Or better check for the correct url?

Many thanks

 

Share this post


Link to post
Share on other sites
Advertisement
The obvious solution would be to only allow https connections and the client validates the expected certificate is used. Obviously the client could still be manipulated to ignore the certificate check but it's a bit more involved than redirecting a DNS query. Edited by BitMaster

Share this post


Link to post
Share on other sites

If the URL starts with "htt?ps:/?/" then cURL will use HTTPS to connect.

 

EDIT: forum filters "htt?ps:/?/" o_o (added zero-width spaces to work around it)

Edited by Sik_the_hedgehog

Share this post


Link to post
Share on other sites
The L just means it's a long constant instead of an integer constant.

That said, I do not think you can solve the problem with cURL. cURL needs to resolve a DNS. It has to ask the operating system to do that, and Windows will lie as much as the user wants to with just a hosts entry.

Sik_the_hedgehog: I don't think just any https will do. You need to validate (with the public key contained in your client) that the server uses the exact matching private key.

Share this post


Link to post
Share on other sites

Yes, but the original post seemed to imply that https could be used to do such a validation =P (especially if you consider that you can use your own certificates) Although of course you could just swap the certificate the program checks against and you're back to zero. This kind of stuff is exactly why DRM doesn't work in practice.

 

Also disabling following is a bad idea, what that would do is to not retry when getting a redirect status code from the server (and the fact it's disabled by default is annoying). That would not help at all if you can just manipulate the hosts file, because the original server would never be seen in the first place.

Share this post


Link to post
Share on other sites

You could use gethostbyname or getaddrinfo to detect if the DNS name you're trying to connect to resolves to the same IP/address as localhost (or any non-routable IP/addresses)...

Of course, anyone who could circumvent your public HTTPS certificate could probably also disable the IP/address checks even faster.

 

The best you can do is hide the public certificate in your executable (the code section if possible), and maybe even encrypt it with a password stored somewhere else.

Edited by tonemgub

Share this post


Link to post
Share on other sites

Um no, you keep looking for things that let the server verify the client when you want the client to verify the server instead (and even then there's a chance that it'd just get worked around by messing with the client itself).

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!