+ Post New Thread
Results 1 to 4 of 4
Coding Thread, .Net 4 beta 2 and SecureString in Coding and Web Development; I am working on making a small piece of software to stick online for those who want it, and one ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,530
    Thank Post
    527
    Thanked 2,648 Times in 2,049 Posts
    Blog Entries
    24
    Rep Power
    925

    .Net 4 beta 2 and SecureString

    I am working on making a small piece of software to stick online for those who want it, and one of the things I need it to do is get credentials, with the possibility of storing them (securely), and then use those credentials to send emails.

    So, I've now worked through most of it, and have a nearly working program. The giant issue that remains is a simple one. The password that is entered gets stored in the relatively new object type of 'SecureString' rather than as a normal string. This is a good thing.

    The problem arises when I then want to pass that string to the SMTP server - which calls for a NetworkCredential object for authentication. This object only allows normal strings.

    I have 2 choices. First one, use the joyfully insecure piece of code below and then have it in memory as a normal string anyway.

    Code:
            static String SecureStringToString(SecureString value)
            {
                IntPtr bstr = Marshal.SecureStringToBSTR(value);
    
                try
                {
                    return Marshal.PtrToStringBSTR(bstr);
                }
                finally
                {
                    Marshal.FreeBSTR(bstr);
                }
            }
    or the second option - use the .Net 4 Beta release, which has SecureString support in the NetworkCredential object. The release date for the full version of .Net 4 is March 22nd 2010, so it wouldn't be a huge amount of time, but it would still be me using a pre-release version of .Net.

    So, what would you do?

  2. #2

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    Live with it like everyone else does? I wouldn't put anything into production that uses a beta dotNet, and I'd make that finally section call Marshal.ZeroFreeBSTR(bstr)

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,530
    Thank Post
    527
    Thanked 2,648 Times in 2,049 Posts
    Blog Entries
    24
    Rep Power
    925
    I've decided to simply wait until March. Then I'll update to Visual Studio 2010 and .Net 4.

    Fiddling with Marshalling etc... just makes what should be, relatively, secure completely insecure.

  4. #4

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    just makes what should be, relatively, secure completely insecure.
    Secure from what?

    If the answer is to some password stealing malware, then all the best malware gets admin and whatever security you decide to add, as admin it can get past that one way or another.

    Perspective: That password has got to pop out as plaintext in memory somewhere: a) Completely in MS-land where we assume it will be well looked after is a bit better than b) very briefly and cautiously in your code, but that in turn is much better than c) sitting around as plaintext for ages in your code or anywhere else.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 23
    Last Post: 3rd October 2009, 06:44 PM
  2. Replies: 0
    Last Post: 5th May 2009, 03:45 PM
  3. Beta Testing
    By bizzel in forum EduSweep
    Replies: 0
    Last Post: 12th March 2008, 10:31 PM
  4. IE 7 beta 1
    By tosca925 in forum Windows
    Replies: 1
    Last Post: 19th December 2005, 12:11 PM
  5. IE 7 Beta 1
    By tarquel in forum Downloads
    Replies: 0
    Last Post: 26th August 2005, 01:40 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •