Planned software: a program like app store / play market, own production. Each time it is launched (or at the request of the user) it should knock on our server and receive information about the availability of products (applications) of news updates, etc. Also, some kind of accounts are planned, with different privileges and different answers (from the server to the client)

Client - C #, windows Server - IIS, windows, preferably php

What are the options to organize communication between the client and the server, to exchange information so that they do not intercept and change the content / do not introduce themselves to the server?

Or, in extreme cases, not a complicated version of the digital signature of messages from the server (if you start over HTTP)

There is no own (paid and long term) certificate. letsencrypt / startssl give for a short time (up to 1 year). And in general, it is not clear how to work through https (certificates are required from the client, probably these are root - trusted?).

  • one
    The question is off topic, because the answer is obvious, do not skimp on the certificate ssl. - Naumov
  • You can generate the certificate yourself, since only your own client should believe it. Here are the details. You can translate the answer and maybe it will help not only you. - D-side

2 answers 2

Use HTTPS, no more for the standard application. A free certificate is made here: https://www.startssl.com once a year it is not so difficult to reissue it.

  • letsencrypt.org ;) - E_p
  • After discussions, we came to the conclusion that it would be easier and more reliable to reissue the certificate annually, and to entrust all the “protection” to the already implemented https. - Newbie127

Even for a normal HTTPS application, for many reasons, it is clearly not enough. HARDWARE - I advise you to start up already encrypted traffic over HTTPS , i.e. inside the channel, all messages are encrypted by RSA (for key exchange for AES ) + AES itself. This will be enough, only RSA certificates - don’t take it from somewhere, generate it yourself and don’t forget to save it.

  • Give at least a couple of reasons (you don’t need much). Well, it’s very interesting even to the usual https application, not to mention that it’s not enough and extra crypting is vital. - Max ZS
  • @MaxZS, everything is simple, the first line of the question: "Planned software: a program like app store / play market, own production." Those. so that the vehicle does not tear the hair on its head with a shout: "Aaaa !!! They broke me !!!" or "Aaaa !!! My users were infected with a virus," as it was recently with the Chinese AppStore. - Align
  • @MaxZS, and the fact that they advised one HTTPS - "flag in your hands" as they say, use it yourself. But do not mislead the vehicle about its absolute security. Currently, HTTPS does not provide the required level of security. - Align
  • And I also note from myself that it is better to spend a week on a secure client-server connection, than to look into the eyes of people who, because of your laziness, were forced into crypto-fiber bridges ... - Align
  • In terms of cryptography, you suggested making HTTP inside a "TLS-type" inside TLS. Only advice is useful in responding to making your own certificates, but without explaining why. - D-side