Coding Stephan

Why most C# apps lack https security

A lot of apps build in C# (or probably any other language) lack the basic protection against Man-in-the-middle-attacks. One of the reasons I could find for this is because of the following.

If you’re searching the web on how to communicate with your development server (probably not hosted with a correct SSL certificate), most sites tell you to include the following code to your project.

ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
	Console.WriteLine("Certificaat: {0}",certificate.Subject);
	Console.WriteLine("SslPolicy: {0}",sslPolicyErrors);
	return true; //This row is the problem. If you don't know why, I wouldn't use apps from your company!
};

While this is perfectly fine during the development phase, you should make sure this part is NEVER included in your project that will be deployed somewhere!