Hi Paul,
the application has to be desktop-based or can be web-based?
Thierry Nivelet FoxinCloud Give your VFP app a new life in the cloud http://foxincloud.com/
Le 7 juil. 2017 à 02:25, Paul Hemans paul_hemans@laberg.com.au a écrit :
The challenge is to make an application that cannot be changed. It doesn't matter if it is copied, but it does matter if the application is changed. The application will always have an internet connection. The point is that the messages coming from the application to the server must be "trusted" that the contents are the original contents. So I was wondering if this workflow might do it, or if there is a simpler method.
- On startup connect to the server and pass the build version number
- The server verifies the build # and responds with a script and a
unique id built from the server date time and version.
- The script is Javascript that changes everyday with an output code.
- The client runs the script which builds a hash from all the files in
the application directory.
- The script then takes the unique id, the hash, the output code and
sends it back to the server as signature stored in the HTTP session
- The server verifies that the response is within an acceptable response
period by looking at the unique id.
- The server verifies the hash against the hash for that version.
- The signature is stored for the session and all messages within a
session must have a matching signature or the request is rejected and the verification process is repeated.
It would seem the weak point would be if someone analyzed the network traffic and then built a proxy to run the script and spoof the session, but it would be difficult because the session script could easily change the way it verifies the running environment. Another weak point might be if the network traffic was sniffed and a rogue application started using the signature. However that would involve a new HTTP session and so the verification would fail.
Can you break it?
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html
[excessive quoting removed by server]