0

I am currently trying to get a debug mail up and running. The moment an error occurs it will send a mail with the error to the mail i use. But after letting somebody test it he actually got my mail password and mail out of it and decided to change the password.

public void Send() {
    MailMessage MailMesaji = new MailMessage();
    MailMesaji.Subject = "subject";
    MailMesaji.Body = "mail body";
    MailMesaji.From = "sender mail adress";
    this.MailMesaji.To.Add(new MailAddress("to mail adress"));
    System.Net.Mail.SmtpClient Smtp = new SmtpClient();
    Smtp.Host = "smtp.gmail.com"; // for example gmail smtp server
    Smtp.EnableSsl = true;
    Smtp.Credentials = new System.Net.NetworkCredential("account name", "password");
    Smtp.Send(MailMesaji);
}

So i was wondering, is it possible to encrypt the account name and password to prevent stealing ?

I am sorry if i did not search good enough, but could not find anything on how to encrypt email/password

SysDragon
  • 9,692
  • 15
  • 60
  • 89
MX D
  • 2,453
  • 4
  • 35
  • 47
  • Just googled "C# encrypt" and heres the first result: http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net – SysDragon Feb 07 '13 at 12:33
  • 1
    I made a blog post on how to do simple yet effective encryption, maybe it will help you: http://aclassicgeek.blogspot.com/2011/11/encryption-in-c.html – Jeremy Holovacs Feb 07 '13 at 12:41
  • @SysDragon yeah thats a normal string encryption. if i try to log in ( user credentials) it just says invalid username/password. – MX D Feb 07 '13 at 12:54
  • @JeremyHolovacs Nice tutorial, but this will not enable me to encrypt an email/password and log in to the service( in this case hotmail.com) and send the email – MX D Feb 07 '13 at 12:56
  • 1
    Is this a client application that sends messages to the developer? In that case, why use email? I'd just send a HTTPS POST request to your website. – CodesInChaos Feb 07 '13 at 14:04
  • @codesinchaos is a option i already try'd but the current web host blocks all incoming post requests. there for i went for the alternative mail. but i think i got a bit round about way now to get it work :) – MX D Feb 07 '13 at 14:10

1 Answers1

1

As you need to recover the original password to use for the mail send, you would have to use some form reversible encryption.

It sounds like you are in a situation where you want to pass on your source code to another user to test. That tester will be able to simply breakpoint your code on the new System.Net.NetworkCredential line and see what is being passed to the constructor.

So, however you manage to encrypt your credentials, if you are passing the code (or executable) to somebody else for testing, then they will be able to access your password.

paul
  • 21,653
  • 1
  • 53
  • 54
  • I am not sending the source code, I am sending the .exe file it produces after release. but he managed to just get my password out of that – MX D Feb 07 '13 at 12:55
  • 3
    If you are sending somebody the .exe, it is not hugely difficult for them to use reflector (http://www.red-gate.com/products/dotnet-development/reflector/) to see what is happening. This is why applications pop up dialogs for users to enter credentials into, rather than storing them in code or config. – paul Feb 07 '13 at 12:59
  • i get that point, but the credentials are always the same. I get the debug logs mailed to me. How would i have to remotely enter my credentials on a foreign machine ? Or is there another way to make it automaticly send the debug logs to my mail/ database – MX D Feb 07 '13 at 13:13
  • Either (a) have an unsecure mail server and potentially open yourself up to being a spam relay or (b) get the user to enter the smtp address and credentials for **their** mail server or (c) deploy a middle tier that users access by using credentials supplied by yourself. THis middle tier could then provide controlled access to your mail server (i.e. only sending certain messages with certain content to certain addresses) – paul Feb 07 '13 at 13:21
  • I would prefer to keep it without any user interference. Potenitional spam wouldn't be a problem though. the big problem right now was that the credentials got read out of the send making the person excess the mail directly. simply said i currently used a hotmail.com mail. he went to HOtmail.com and logged in with the user credentials – MX D Feb 07 '13 at 13:25
  • 4
    You can't put secrets into an .exe that runs on an untrusted system. It's that simple. – CodesInChaos Feb 07 '13 at 14:14