0

I have a web service with several web methods, each web method requires client machine to send their MAC Address and the server will validate this client base on this information (if not valid then return error) before proceeding to further operations. The communication between client and server is HTTPS. I only have about 20 clients or so. The question is is my way of doing this right/secure or not? If not then is there any simple way to do this?

Thanks,

Improve this question

3 Answers 3

Reset to default
1

It depends on your security requirements, there is no one definition of "secure enough". As others have said, the MAC can be spoofed, and is in effect just a shared secret/password. However, that is sufficient for many scenarios, when the confidentality of the connection is ensured by HTTPS. You need to define what threats you want to protect the system from, and how much you're willing to invest in security.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks for your comment, in my case, I just want to protect the service from unauthorized calls from anonymous clients (the MAC address is different) and unnecessary stresses for the server load?
In that case I think your current solution should be fine, and basic form authentication will also be a good solution, go with whatever gives you the least administrative hassles. The main problem with using MACs is that they cannot easily be changed e.g. if an employee quits and you have to change the secrets that he knows about.
1

No, it's not secure because anyone who knows a valid MAC address in your database could call the web service. Of course knowing a valid MAC address in your database is unlikely possible, it's as if he knew a password.

Improve this answer

3 Comments

what about using basic form authentication + HTTPS?
@Kenny, if you are using WCF there are different techniques to implement security: transport level or message level. Basic Forms Authentication + HTTPS is OK.
I don't use WCF, maybe I should go and try with Forms Authentication and HTTPS, thanks for your help!
1

The client can spoof the MAC address of the machines which is authorized. So, this is not secure.

Protecting your webservice through client certificates would provide better security.

Tutorial : http://www.codeproject.com/KB/WCF/9StepsWCF.aspx

Improve this answer

1 Comment

can you explain more? and of course with a tutorial will be greatly appreciated. Thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.