-
Notifications
You must be signed in to change notification settings - Fork 4
Mono and .Net Core
This page will cover the issues that may occur in Mono and .Net Core when using this library.
While we will try to make the library as compatible with non-Windows platform, there are certain limitations we will hit upon. If a work around for the limitation cannot be found, and used then the limitation will be listed here, along with what impact it will have on the library itself.
When running mono or .net core on unix based platforms, you should warn your users that their password will be stored in memory for the entire duration of the application, however it will not be encrypted. This is due to the implementations of mono and .net core not running any sort of encryption on the data when storing it into memory. This however does not mean the password is insecure in all cases.
With .net core, it is stored in unmanaged memory, which will reduce how many times the string is produced and stored in memory by GC. You can read further about the .net core implementation here. As for mono, it appears that it just stores the string in managed memory, as a Byte[], which clearly is not secure at all! You can read further about the mono implementation here.
Ultimately, it is up to you, the developer, to choose if this risk is acceptable or not, and further more to warn the users about this.
That is simple, as it stands the way to login to Vndb.Org, requires the password to be sent in plaintext, as json. Of course, this is done over a connection secured by TLS 1.2, however that still means when logging in, the library need to make the password go from a SecureString to a normal string.
Whats worse, is the fact that the work flow of the login method has the password traverse from the Unsecure method, to Json Serialization, to the Sending of data before it can be set to String.Empty. This means there are plenty of chances for the data to be copied around in memory by the GC as a raw string, and as a result, the insecurities of using a simple String re-appear while logging in.
As far as i can tell, there is simply no cross-platform solution that securely protects data in memory. Sure, i could implement some absurd encrypt / decrpyt logic, but that is a rabbit hole I'm not willing to go down, and i refuse to endorse a product that may have 'security' that actually makes it wose.
So this will be fixed when i discover a cross-platform solutionl, preferably apart of .Net Standard, to securely store data in memory, that i don't need to roll my own solution for.