HTTPS and DNS poisoning attack

The best explanation of HTTPS I have seen was written by Jeff Moser, highly recommended!

After reading the article, there was only one thing left unclear, so I asked the author, Jeff Moser, and he responded:

Me:


Just one thing is really unclear to me - DNS poisoning: The attacker obtains certificate from amazon.com, I enter "amazon.com" to browser, browser goes to attacker's site, which responds by valid amazon.com certificate signed by Verisign. How does the browser tell this is an attack?


Jeff:

Great question! Note that if an attacker did this, they'd run into trouble in the "Trading Secrets" section that I described. Without knowing Amazon.com's private key, they couldn't decrypt the pre-master secret that the client sends out because the certificate from Verisign has Amazon's public key. Thus, the client would use that public key (and not one an attacker generated).


DNS poisoning is an attack when attacker fools DNS server. You type "amazon.com" in the browser, the browser asks the DNS server to resolve the URL = to translate the URL to IP address. Since the DNS server is poisoned, it returns attacker's IP address and browser connects to attacker's server, while address bar reads "amazon.com" - quite nasty.

Now everything is 100% clear, thanks Jeff!

Posted by Martin Konicek on 2:08 AM 0 comments

Custom IFormatProvider for doubles

The following example shows how to write a custom IFormatProvider which you can use in String.Format(IFormatProvider, ...).

public class DoubleFormatter : IFormatProvider, ICustomFormatter

{

    // always use dot separator for doubles

    private CultureInfo enUsCulture =

        CultureInfo.GetCultureInfo("en-US");

 

    public string Format(string format, object arg,

                            IFormatProvider formatProvider)

    {

        // format doubles to 3 decimal places

        return string.Format(enUsCulture, "{0:0.000}", arg);

    }

 

    public object GetFormat(Type formatType)

    {

        return (formatType == typeof(ICustomFormatter))

            ? this : null;

    }

}



Having this formatter, we can use it like this:

double width = 15.77555;

double height = 12.8497979;

Console.WriteLine(

    string.Format(new DoubleFormatter(), "w={0} h={1}", width, height));



Output:

w=15.776 h=12.850



So now we have a reusable format for doubles - 3 decimal places with dot separator. That is nice, but this formatter is very simple - it formats everything (eg. DateTime) as "0:000". This is a fast version if you know that you will only use it for formatting lots of doubles.

The real version should look like this:

public class DoubleFormatter : IFormatProvider, ICustomFormatter

{

    // always use dot separator for doubles

    private CultureInfo enUsCulture =

        CultureInfo.GetCultureInfo("en-US");

 

    public string Format(string format, object arg,

                        IFormatProvider formatProvider)

    {

        if (arg is double)

        {

            if (string.IsNullOrEmpty(format))

            {

                // by default, format doubles to 3 decimal places

                return string.Format(enUsCulture, "{0:0.000}", arg);

            }

            else

            {

                // if user supplied own format use it

                return ((double)arg).ToString(format, enUsCulture);

            }

        }

        // format everything else normally

        if (arg is IFormattable)

            return ((IFormattable)arg).ToString(format, formatProvider);

        else return arg.ToString();

    }

 

    public object GetFormat(Type formatType)

    {

        return (formatType == typeof(ICustomFormatter)) ? this : null;

    }

}



Example:

Console.WriteLine(string.Format(new DoubleFormatter(),

    "Numbers {0} and {1:0.0}." +

    "Now a string {2}, a number {3}, date {4} and object: {5}",

    1.234567, -0.57123456, "Hi!", 5, DateTime.Now, new object()));



Output:

Numbers 1.235 and -0.6. Now a string Hi!, a number 5, date 12.6.2009 17:11:35 and object: System.Object



This article should give you an overview of implementing custom IFormatProvider. Now you should be able to modify the code to suit your specific needs.

Other examples with custom formatters can be found in MSDN. See example with formatter for 12-digit account numbers (12345–678–9012).

Posted by Martin Konicek on 2:02 PM 2 comments

Associating data with an event

I just solved the following problem - best explained by concrete example:

WPF Animation.Completed is an event. I need to register this event and when it fires, access custom data associated with the event:

void animate(Graph graph)

{

    PointAnimation anim = new PointAnimation();

    anim.Completed += new EventHandler(anim_Completed);

 

    // in anim_Completed, I want to call graph.Fix() - how?

}

 

void anim_Completed(object sender, EventArgs e)

{

    // how do I access 'graph' here?

}



Seems like a tough problem. Remembering 'graph' in eg. static variable is not an option, especially if we have more graphs animated at the same time.
Fortunately, C#'s lambdas come to the rescue:

void animate(Graph graph)

{

    PointAnimation anim = new PointAnimation();

    anim.Completed += new EventHandler((s, e) => { graph.Fix(); });

}



This works because anonymous methods bind to outer variables.

Posted by Martin Konicek on 2:55 PM 0 comments