Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

How to prevent modifying "JSON response" by proxy



  • Hey, I want to protect some my project by using HWID Check.

    I have sth like this:

    manager->get(QNetworkRequest(QUrl("http://server.url/api.php?hwid=HWIDHERE")));
    

    and when HWID is found in Database I got "true" or "false" response.

    How to prevent "potential crackers" from just modyfing that value by using proxy? Is it easy?



  • I don't know much about network, but I think at least you should use https.



  • Yeah I know, current "server" is only for testing, first time doing this.


  • Lifetime Qt Champion

    Hi,

    If you want to secure your data, the first step is using a secure connection.

    Then if it's that precious, you should encrypt your data as well.



  • I will go to more specific forum with this problem, but I will ask it there too. Is it good idea to add another layer of encryption? Like sth before SSL.


  • Lifetime Qt Champion

    That's up to you. Securing a connection and securing data are two different things. So you have to decide based on your data modeling and use.



  • Assuming that the attacker is going to try to subvert the network communication then using a secure (HTTPS) connection alone will only slow a determined attacker down by a minute or two (see tools like Fiddler). If the underlying request and response payloads are cryptographically protected (e.g encrypted and signed) and made time sensitive then faking, replaying, or otherwise tampering with the response becomes a harder proposition.

    A determined attacker may simply patch the binary to either skip the check or force a positive response.

    This is a game of whack-a-mole. How much effort do you want to put in?


Log in to reply