I have a Silverlight 2 beta 2 app which communicates with a PHP site, which saves the data in MySQL. If a malicious user view the headers sent by my app, he can modify them to insert malicious data in my DB. So I need to protect the commucination between my app and my site. What is the most secure approach?

The most obvious answer is to just use SSL. Your webservice would only communicate from secure requests, your service urls would probably change to "https". To do this you just need to have an SSL certificate and set it up for your site on your server. This is basically just a server configuration issue then a little bit of code to ensure that incoming service requests are done through https.

I'm not really sure how you would do this in PHP or apache though.

---
http://www.justnbusiness.com/
~justin chase

 How can I use SSL with Silverlight? I can configure my web server to use SSL, but how to make requests from my app? Can you give me a example code (even with web services)?

 http://silverlight.net/forums/p/16672/55418.aspx#55418

sladapter
Software Engineer
Aprimo, Inc

Please remember to mark the replies as answers if they answered your question

Basically you would setup a Service Reference to your webservice, only instead of using the URL:

http://localhost/MyService.svc?WSDL

You would use:

https://localhost/MyService.svc?WSDL

 It should be that simple. Of course replace everything after https with the URL to your WSDL for your service.
 

---
http://www.justnbusiness.com/
~justin chase

 It looks very easy with WebServices, but my hosting does not provide .NET content. So I have to think of a workarround with PHP. Does anybody have done something like that with PHP?

That's ok, in this context a webservice is just a SOAP web service. A WSDL is the service description and this is a standard protocol. I'm not PHP expert but I"m pretty sure you can find some libraries to create SOAP webservices.

 For example: http://devzone.zend.com/node/view/id/689

Anyway, you create your SOAP webservice in PHP, or Java or .NET or whatever then in your Silverlight application you can "Add a service reference" and point it to the WSDL url. From there it will know how to generate classes for you that can interact with your web service.

I believe there are also ways to interact with REST webservices (which are very common in PHP) but I'm not sure if that is implemented in Silverlight yet. It might be worth looking into at least.
 

---
http://www.justnbusiness.com/
~justin chase

 Thanks! I created my PHP WebService. Everything is OK. Now I have to secure it. I want only my Silverlight app to be able to send data to this WebService. So I need a certificate. I have to include my private key in my Silverlight app and put my public key on the server. But is it secure when I include my private key? Can't it be found?

To secure it, all you have to do is call the webservice using https. Since Silverlight runs in a sandbox in the browser, the browser will handle the https for you. This is not something you need to create yourself.

(If this has answered your question, please click on "mark as answer" on this post. Thank you!)

Kind Regards,
Rob Houweling

Visit my blog at http://web-snippets.blogspot.com

I read about this. But I want to ensure that my WebService will be called only from my Silverlight app. How can I achieve this? Don't I need to use my private key to crypt the data so the server can use my public key to decrypt it?

There is no way to be 100% certain calls are made from your silverlight app. Using a key won't help either because the code can easily be read using tools like reflector.
When you want to display such sensitive info using webservices it's probably best to let the user login first before they can access the information.

However, this is not really a Silverlight issue, but a common question when it comes to webservices.

Try this article for more info on securing webservices:
http://msdn.microsoft.com/en-us/library/aa302428.aspx

(If this has answered your question, please click on "mark as answer" on this post. Thank you!)

Kind Regards,
Rob Houweling

Visit my blog at http://web-snippets.blogspot.com

I outline a method here:

Implementing "Super Tight Security"

Basically you can store the IP address when the Silverlight App is launched and then only accept requests from that IP address. That combined with a random password should make hacking your web service very difficult.

SilverlightDesktop.net

A framework that allows you to dynamically load Silverlight modules into resizable draggable windows.

Hi Michael,

In the method you outlined, can you explain how you determine the call is made from the Silverlight application instead of a normal aspx page?
If a hacker calls the webservice using an aspx page using the password he got, from first opening the page the normal way, he can use your webservice.

I agree it does make it more difficult, but it's not totally secure.

Maybe I misunderstood, so please correct me if I'm wrong.

(If this has answered your question, please click on "mark as answer" on this post. Thank you!)

Kind Regards,
Rob Houweling

Visit my blog at http://web-snippets.blogspot.com

Hello, there's no way to tell if the request comes from your Silverlight application or another client. This is similar to in a classic web application, there's no way to tell if the user is using IE/Firefox or a hack browser that simulates IE/Firefox's request. But there're still a lot of solutions to enhance your service's security. I don't know PHP. But generally speaking, you should enable session on your web services, so only authenticated users can access the service. In WCF, you can use ASP.NET session, I think there's something similar on PHP. When Silverlight makes a request to the service, it will automatically send the session information, if any. It's very difficult to hack session, since each session will have a different id. Of course, you still need your users to protect their passwords. Even in a classic web application, if the hacker gets the password, he can still do anything that user can, right?

shanaolanxing - Please mark the posts as answers if they help and unmark if they don't.

robhouweling:

In the method you outlined, can you explain how you determine the call is made from the Silverlight application instead of a normal aspx page?
If a hacker calls the webservice using an aspx page using the password he got, from first opening the page the normal way, he can use your webservice.

That's why I put in the IPAddress check. The hacker would have to be on your computer or using some sort of IP spoofing AND they have to do this before you logged in again and caused your temporary password to change.

You should never pass the "real" user password from the Silverlight app to the web service.

SilverlightDesktop.net

A framework that allows you to dynamically load Silverlight modules into resizable draggable windows.