Last post Dec 25, 2014 04:26 AM by sw-ing
Dec 16, 2014 07:31 PM|dp68|LINK
Microsoft appears to be advocating that, in order to do away with ActiveX, customers should consider a Signalr self-hosted hub or similar arrangement.
Essentially, the hub would run as a windows service and be connected to via websockets.
One misuse case I see with this is that any malicious web page could pretend to be either the client web page or the listening hub service or a man-in-the-middle, hijacking any authentication mechanism you could design. Also, how do you secure the channel?
SSL is great for having a local host trust a remote host to get reliable encryption, but when they are the same host, how is that effective?
Does Signal-r and the underlying OWIN layer have a good body of knowledge of security vulnerabilities and/or best practices?
All and any responses welcomed!
Dec 18, 2014 03:20 AM|Fei Han - MSFT|LINK
Thanks for your post.
This article describes the security issues we must consider when developing a SignalR application, you could refer to it.
Hope it will be helpful to you.
Dec 18, 2014 07:52 AM|dp68|LINK
Hi Fei Han,
Many thanks for that link which I will read with interest. It is helpful in a general way but does not address my specific concern.
The link refers to using Signal-R in a standard client-server way between two hosts.
What I am referring to is a hub running on the same host, localhost, in order for a browser to communicate with the host itself. For example:
To my mind, this opens up the possibility of "script in the middle" attacks, SSL vulnerabilities and things like that, which could not happen if Signal-r was hosted on a remote server.
Dec 25, 2014 04:26 AM|sw-ing|LINK
To my mind, this opens up the possibility of "script in the middle" attacks, SSL vulnerabilities and things like that
“SignalR Security Recommendations” suggest that If SignalR application transmits sensitive information between the client and server, use SSL for the transport.