Let's imagine that I don't use SSL and I send a token in a HTTP headers. The token contains the user ID and is encrypted.
I can imagine that a man-in-the-middle attacker could capture the token and use it. If I use SSL it should be secure enough? But if I don't use SSL...
Can I add something to the token like for example the user's IP so I can check that the request IP and the encrypted IP in the token are the same?
Can the man-in-the-middle attacker fake the IP address of the victim? Can I use any other user related information when generating the token?
Thanks!
Can the man-in-the-middle attacker (MITM) fake the IP address of the victim?
Since you describe the possible attack a "man-in-the-middle," yes the attacker can fake the IP address of the victim.
Can I use any other user related information when generating the token?
Sure, have the user generate a random number that never gets sent in the clear. And better make sure the server also does the same, so that a man-in-the-middle attacker can't just replay an old request. And how can the user be sure that he's communicating with the real server and not the attacker? Better prove the server's identity with a certificate.
There are many such questions that come up in designing a protocol that's secure against man-in-the-middle attacks. If you address all of them, you'll probably come up with something very similar to SSL. For many developers, it's just not worth their time to build their own secure transport protocol.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With