Coding Thread, .Net 4 beta 2 and SecureString in Coding and Web Development; I am working on making a small piece of software to stick online for those who want it, and one ...
9th December 2009, 02:08 PM #1
.Net 4 beta 2 and SecureString
I am working on making a small piece of software to stick online for those who want it, and one of the things I need it to do is get credentials, with the possibility of storing them (securely), and then use those credentials to send emails.
So, I've now worked through most of it, and have a nearly working program. The giant issue that remains is a simple one. The password that is entered gets stored in the relatively new object type of 'SecureString' rather than as a normal string. This is a good thing.
The problem arises when I then want to pass that string to the SMTP server - which calls for a NetworkCredential object for authentication. This object only allows normal strings.
I have 2 choices. First one, use the joyfully insecure piece of code below and then have it in memory as a normal string anyway.
or the second option - use the .Net 4 Beta release, which has SecureString support in the NetworkCredential object. The release date for the full version of .Net 4 is March 22nd 2010, so it wouldn't be a huge amount of time, but it would still be me using a pre-release version of .Net.
static String SecureStringToString(SecureString value)
IntPtr bstr = Marshal.SecureStringToBSTR(value);
So, what would you do?
10th December 2009, 12:10 AM #2
Live with it like everyone else does? I wouldn't put anything into production that uses a beta dotNet, and I'd make that finally section call Marshal.ZeroFreeBSTR(bstr)
10th December 2009, 09:05 AM #3
I've decided to simply wait until March. Then I'll update to Visual Studio 2010 and .Net 4.
Fiddling with Marshalling etc... just makes what should be, relatively, secure completely insecure.
11th December 2009, 12:10 AM #4
Secure from what?
just makes what should be, relatively, secure completely insecure.
If the answer is to some password stealing malware, then all the best malware gets admin and whatever security you decide to add, as admin it can get past that one way or another.
Perspective: That password has got to pop out as plaintext in memory somewhere: a) Completely in MS-land where we assume it will be well looked after is a bit better than b) very briefly and cautiously in your code, but that in turn is much better than c) sitting around as plaintext for ages in your code or anywhere else.
By maplay in forum MIS Systems
Last Post: 3rd October 2009, 06:44 PM
By pooley in forum Windows 7
Last Post: 5th May 2009, 03:45 PM
By bizzel in forum EduSweep
Last Post: 12th March 2008, 10:31 PM
By tosca925 in forum Windows
Last Post: 19th December 2005, 12:11 PM
By tarquel in forum Downloads
Last Post: 26th August 2005, 01:40 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)