Prevent man in the middle (e.g. proxy) server from pretending something it is not
https://stackoverflow.com//questions/9563742
-
06-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am developing a web service and it is of big importance that I can tell when which end-user is currently executing a request. So, in essence, I need an implicit user (or maybe even better would be, a user's device) identification.
My web service does not require authentication, it is possible that users place a proxy server in between their mobile devices and my web service and route all their traffic through that proxy server. I don't want to forbid users to do that because there may be many reasons but I would like to still know which device is currently connecting.
Some cryptography is needed maybe?
Solution
The standard way to do this is to firstly use HTTPS for the web service. This means the server will authenticate itself to the client, plus that the connection will be both encrypted and authenticated.
Once the server is authenticated to the client and the connection is encrypted and authenticated, you can easily proceed with adding a method to authenticate the client to the server. The most simple way to do that is to include a plain text user id and password in each request. This is safe, exactly because the client knows they will be sent to the right server and because the connection is encrypted.
Well configured proxy servers will allow tunneling of HTTPS traffic. This shouldn't be a problem.
OTHER TIPS
It sounds to me that you are trying to allow only a single application access to your web-service. One method of doing this is TLS with client authentication. For this the client (your application) should have it's own private key certificate pair, and the server will only allow access if the ownership of the private key is proven. It uses the exact same PKI as the default verification of the server, only the other way around.
The advantage of this is that client authentication is a transport level protocol, so you don't need to add an additional security layer in the application itself; none of the URL's protected by TLS can be reached. The disadvantage is that you have a more difficult protocol to set up, and that key distribution becomes a bit harder (if you use token authentication as suggested by Henrick, then you will have to distribute the token securily...).
Most application servers should be able to handle client authentication. More information here under "Client-authenticated TLS handshake".
