I am working on an chat program with socket programming (Indy in Delphi).
What security solutions can I use to satisfy its security? From user authentication (I used a server to authenticate users) and type of packets security that can be used?
I don't have any idea what can make my app vulnerable.
Indy supports OpenSSL so yo only need to add and configure a OpenSSL handler, and make sure that the firewall allows connections over the secure port.
A popular source of information is the Open Web Application Security Project (OWASP).
Their pages include lots of technical article, for example
https://www.owasp.org/index.php/Category:Vulnerability
about vulnerabilities
Related
I'm doing a simple proxy work, it can listen locally and the requests are forward to a real external online proxy, I tried many but without results.
my online proxy for testing
194.163.148.227:3128
There is an IcsHttpProxy tool that is supposed to do this work, but I encountered a lot of obstacles, including there are many options related to security certificates. I do not know what to set in the that when sites can have a lot of differences such as version of certificate, key strength, etc., Do I have to set it manually for each site?
In fact, I did this project using Indy's tools and it done without a problem and without much work and without going into the details of the certificates and what is related to them, but I am interested in doing this project using Overbite ICS tools.
All i need is a simple proxy that forwarding browser requests to an external proxy without entering into the details of security certificates and what is related to them. Is this possible?
My Idea
Since many website will calling service by Web API. In that case, those methods will be exposed for every one. How can I ensure only my web site can calling my Web API service?
One of the easiest way to secure it as a developer is to get the IT people to do it by limiting access down by IP address from site to site. You could also do this in the app by validating the incoming IP addreseses. Sometimes IP addresses change sometimes they don't. Whenever I have done this have used certificates as there is a trust on both sides of the data divide. Have a look at John Petersens article Making web api's secure it has a section on implementing IP security in your app as well as x509 certificates; complete with code examples that I wont reproduce here. You could try and secure it with SSL and create your own key / trust but its easier to maintain (imo) using x509. Perversely it was much easier in the web service world Microsoft had an API to do this much more simple in WSE extension..
I have developed security sensitive App. I had to use TEA based algorithm to encrypt/decrypt data to communicate with server and follow Server protocols. I have used AsyncSocket for trasport level communication which uses CFNetwork APIs. I have noticed that TEA algorithm is not very secure and can be hacked easily. Moreover, AsyncSocket library isn't using Apple's Security Framework anywhere. I am planning to rewrite transport layer and redefining client-server security protocols. I have been researching on what kind of security algorithm should I use for data protection which has no or minimum performance impact and difficult to break. Moreover, I am going through Security frameworks but couldn't find any example that uses this framework to implement transport layer. Could someone please assist me on this? What are the things I should follow to code secure transport layer? what are the security measures that I could check against my App?
As #CodesInChaos notes, you should use TLS for this. You absolutely should not design or implement a new transport protocol.
The fact that CFNetwork supports TLS does not mean that you are using it. You need to actively use it. Your server needs a certificate that your client trusts, and it needs to negotiate a TLS session. In general, if you just use HTTPS and the standard NSURLConnection routines , then you're going to get most of what you need for free. But if you start building it by hand in CFNetwork, you need to make sure that you're configuring it correctly. My recommendation is to use HTTPS whenever possible. It's simple and makes a wide variety of problems go away.
That said, just because the transport is secured does not mean that your app is "secured enough." In particular, your server still needs to be able to deal with malicious clients talking over a secured transport. You need to properly authenticate the user and you need to handle malicious data gracefully. When the data reaches your server, you need to store is securely. You may need to encrypt data on the client. There are many aspects to securing a system beyond the transport.
Long ago I started some "web applications" using Delphi 2007 and WebBroker (TWebModule). At the time I assumed you needed a webserver such as Apache or Microsoft IIS in order to create any sort of website. Additionally I don't use most of the Apache features (except for Virtual Server so I can have multiple domains on a single ip address and SSL). So to me Apache is just an extra layer and makes makes debugging difficult.
Now enter Indy (TIdHTTPServer). If I understand correctly, Indy IS a webserver. So by using Indy I am no longer bound to use Apache or some other webserver. Is this correct?
Will I have any issues supporting the Virtual Servers in an Indy environment? And what about SSL. I have searched the literature and from what I can see it fully supports SSL certificates.
I am now in the process of porting some of my application from WebBroker to Indy. This mostly entails replacing within my code references of Request: TWebRequest with ARequestInfo: TIdHTTPRequestInfo and references to Response: TWebResponse with AResponseInfo: TIdHTTPResponseInfo.
Is there anyway to use the TWebModule architecture within Indy so that I don't need to do all of this rewriting?
Lastly is there anything else I need to be concerned with? My goal is to take Apache out of the loop.
Yes, you can use Indy's TidHTTPServer as a webserver, but it's much lower-level than IIS or Apache. There is no concept of virtual servers - this you would have to implement yourself.
Indy does support SSL as well via the OpenSSL dll's.
I imagine the biggest concerns you will have will be security related...there are millions and millions of sites running Apache or IIS and there are a ton of people devoted to finding flaws in those platforms, with a bunch of people fixing some of those flaws as they come up. Not so with Indy... there's one or two guys that respond on newsgroups to bugs that you discover. (One guy in particular, who will probably respond to your question here as well.)
Now, I use Indy HTTP server (along with SecureBlackBox SSL support) and I find it to be great for my purposes.
Indy HTTP server calls the WinSock API, and is able to implement:
A full HTTP/1.1 server;
A full HTTPS server (using either OpenSSL libraries or other third parties, like SecureBlackBox).
AFAIK you can use Indy to publish web modules.
See http://www.2p.cz/files/2p.cz/downloads/howto/indy_soap_web_services_in_delphi.pdf
You can also use other servers, for instance directly the kernel-mode http.sys server, which is used by ISS and .Net WCF for instance, and known to be very stable and efficient (it bypasses the WinSock APIs). Of course, it will serve HTTPS conent, if needed. It is available in standard since Windows XP SP2, and therefore in Vista and Seven. Using this component will let Microsoft will do all the debugging work for you, and it will be updated with the host OS. I use it for instance in our Client-Server ORM, or directly to replace a deprecated DCOM connection, with very good speed and stability on customer side.
Regarding virtual servers - the HTTP 1.1 spec requires clients to send a Host request header so virtual servers know which domain is being used specifically to handle the case when multiple domains have the same IP. TIdHTTPRequestInfo has a Host property for that value. In fact, TIdHTTPServer internally validates to makes sure that an HTTP 1.1 request has the Host header before firing any of its OnCommand... events.
We recently started using a Squid HTTP proxy server which provides squid-2.5-ntlmssp authentification.
Does somebody know if NTLMSSP is supported by one of the popular HTTP client libraries for Delphi (Indy, Synapse, ICS, nsoftware ...)?
Update: I just read in Wikipedia that
The Windows Service offering the acceptor side of NTLMSSP has been
removed from Windows Vista and Windows Server 2008 in favor of the
newer Kerberos authentication protocol.
So I guess that this auth method will be replaced by Kerberos soon - anyway I'll leave this question - for 'historic studies', or companies which always are a little behind current rocket-science etc. ;)
Related question: How can I get a Kerberos ticket with Delphi?
It seems Wininet should support it when enabled in the registry.
Indy includes a unit named IdAuthenticationNTLM.pas so it probably supports it, too.