locked
Security in Sync Services using WCF RRS feed

  • Question

  • Hello,

    I was wondering how can i crypt or secure the messages(up and down) transfer between the SQL CE database and SQL Server 2008 Database !

    is there a way to make it secure ... make the synchronisation secure (The Transfer of messages from the Pocket pC database passing by The service WCF till the SQL Server 2008 and not a login system)

    So is there anything about security issues in Sync Services ?!

    Thank you !!
    • Moved by Hengzhe Li Friday, April 22, 2011 2:39 AM (From:SyncFx - Microsoft Sync Framework Database Providers [ReadOnly])
    Friday, July 17, 2009 1:03 PM

Answers

  • Well, first you should change your IIS-configuration to use HTTPS (do not forget to chance the firewall ports too).

    On your mobile device you must change your webservice url from http to https.

    Normally you will run into trouble now, because I guess you do not have a trusted certificate for your https-webserver.
    If I understand you right, you only want to crypt your messages and do not need a real "trusted computing" scenario.
    Which means, that you do not consider man-in-the-middle-attacks or something else.

    If yes... create a class for your mobile device application, which accepts all certificates:

       public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
        {
            public TrustAllCertificatePolicy()
            { }
    
            public bool CheckValidationResult(ServicePoint sp,
             X509Certificate cert, WebRequest req, int problem)
            {
                return true;
            }
        }
    And use this class before you use your Https-WebService, for example after initialization of your main form:

    System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
    

    This is a very simple solution, also for newbies ;-)
    But please consider, that it is not 100% secure, because you accept all certifcates and do not ask a trust center!


    Regards,

    Martin


    PS: The idea is taken from http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx. Read this blog for more informations

    Monday, July 20, 2009 8:47 AM

All replies

  • Why don´t you use HTTPS?

    Friday, July 17, 2009 2:22 PM
  • the security of the transport is all supposed to be handled at the application level. as Macap suggested, https can be one of them.

    thanks
    yunwen
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, July 17, 2009 8:38 PM
    Moderator
  • the security of the transport is all supposed to be handled at the application level. as Macap suggested, https can be one of them.

    thanks
    yunwen
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Well i am kind of newbie can you tell me how can i do it on the application level and use HTTPS !!!!! Thanks a lot for your help !
    Monday, July 20, 2009 7:33 AM
  • Well, first you should change your IIS-configuration to use HTTPS (do not forget to chance the firewall ports too).

    On your mobile device you must change your webservice url from http to https.

    Normally you will run into trouble now, because I guess you do not have a trusted certificate for your https-webserver.
    If I understand you right, you only want to crypt your messages and do not need a real "trusted computing" scenario.
    Which means, that you do not consider man-in-the-middle-attacks or something else.

    If yes... create a class for your mobile device application, which accepts all certificates:

       public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
        {
            public TrustAllCertificatePolicy()
            { }
    
            public bool CheckValidationResult(ServicePoint sp,
             X509Certificate cert, WebRequest req, int problem)
            {
                return true;
            }
        }
    And use this class before you use your Https-WebService, for example after initialization of your main form:

    System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
    

    This is a very simple solution, also for newbies ;-)
    But please consider, that it is not 100% secure, because you accept all certifcates and do not ask a trust center!


    Regards,

    Martin


    PS: The idea is taken from http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx. Read this blog for more informations

    Monday, July 20, 2009 8:47 AM