I have created an activex control that will be used only for our intranet. Can I somehow sign the control for free if its being used only internally or do I still need to buy a certificate?
You will have to sign the control with a certificate that all machines on your intranet trust. This article http://www.top20toolbar.com/misc/codesigncert.htm suggests a method but it involves importing a certificate on every client computer, which may be impractical for you.
If you have an internal certificate server (eg MS Certificate Services) that all machines trust it would make deployment easier.
Related
We have developed an android mobile application where we are interacting with microsoft graph api. We have to add certificate pinning to avoid man in the middle attacks. To implement this we will need to hardcode the public key in the app, but Microsoft graph apis keeps on changing the public key.
How can we implement certificate pinning and how can we prevent man in middle attacks?
You might try Certificate Transparency which provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.
Please take a look to Certificate Transparency for Android.
I need to prevent MIM(Man in the middle attack) for my native apps which use Azure API management. Though we have secured API management using JWT, we need to secure the HTTPS requests coming from apps to prevent a man in the middle attack. What is the best way to achieve SSL pinning using Azure API management?
I tried adding a self signed SSL certificate in API management certificate, but the apps are not able to use that certificate. What would be the best way to solve?
Using a certificate signed by a public CA is really your only option for a publicly accessible endpoint. You could use a private CA if you're in an enterprise environment with the CA trusted on all devices connecting to the endpoint.
How to verify if the API being hit is from the actual application and is not going through any MITM attacks.
I understand SSL certificates can be used to achieve transport level security and the app can be sure it is taking to the correct server, but how can I attain the same thing from app side.
I just want to make sure that only my app is hitting my services and the hit is not coming from somewhere I don't trust.
Thanks
Have a look at SSL again - it offers client certificates, for example, to do so. Yet, this only shifts the problem as an attacker might use the same mechanism the apps use to get certificates. (An shared API token is often considered okay as well and much easier to implement.)
In general, you cannot achieve a guarantee for that. You might get a good result by issueing certificates based on user authentication by external means (e.g. make users put in their user names and passwords) or make it hard for adversaries to abuse your API by using reverse turing tests (e.g. completely automated programms to tell computers and humans apart, aka CAPTCHAs).
The same way that the client validates the server based on its server certificate, SSL supports the server issuing client certificates and requiring communication to be signed with that specific certificate.
With this approach it comes down to possession of the certificate rather than, say, knowledge of a password. Which in the case of mobile is problematic, because an attacker can more easily gain physical access to your device and read your app's documents. So take care to store your keys in your keychain.
Also, your method of handshaking with your server and asking it to issue a client certificate becomes a security bottleneck. An attacker could, since she has physical access to the device, sniff the traffic and easily figure out the API calls needed to get the server to issue the proper certificate.
Read Apple's business oriented document on security in iOS here.
I would like to improve the security of the transactions that occur on an Azure website I am developing by using an SSL certificate. However, I know very little about the subject. Azure seems to support SSL and I can get certificates from numerous authorities.
I only want to be able to get to the transactional stuff if the connection is secure. The main home/landing page of the site can be arrived at using http or https?
Where can I go to find out more about SSL and particularly how I incorporate it into Azure websites?
You can take a look at this sites
http://www.windowsazure.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
http://www.windowsazure.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/
I am writing a Delphi application that allows a user to connect to an AIX system to perform various tasks.
I need to allow a user to sign on to the AIX system before they are allowed to do anything, so I need a method by which their username/password can be authenticated.
I had initially thought that I could display a sign on screen where they would enter their username and password, then establish an FTP connection (or Telnet, or something similar) with the AIX system, but this would not be a reliable method as the functionality may be locked down (eg. FTP port blocked etc.) which would obviously result in a failed sign on despite the username/password credentials being correct.
The bottom line is this: How can I authenticate a user's username/password against an AIX user account by using Delphi? A colleague suggested that using SSH might work, but I suppose I'd need a 3rd party component for that (if one exists). I am using Delphi 2009 Pro.
AIX supports Kerberos, you only need a Kerberos client for Delphi.
See
How can I get a Kerberos ticket with Delphi?
Kerberos (pronounced /ˈkɛərbərəs/)
is a computer network authentication
protocol, which allows nodes
communicating over a non-secure
network to prove their identity to one
another in a secure manner.