What is the best way to prevent host redirection?
For example, say I have some pseudo code like this:
string result = downloadStr("http://mywebsite.com/login.php?pass=whatever&username=whatever");
if(result == "true")
return success_login;
else
return failed_login;
I could easily just go and edit my 'hosts' file to redirect 'mywebsite.com' to my localhost, and always have it return 'true'. Was this question not asked before because it is not a problem with security?
The best way I could think of would be doing something like this:
string ip = get_website_ip("http://mywebsite.com/");
if(ip != "216.250.121.107")
{
//Host redirection detected.
}
else
{
//It's all good.
}
Generally speaking your entire technique of licensing (presumably) is flawed. You are right, someone can easily modify the hosts file and make that return true. Even if you changed it to the direct IP address, they can modify their firewall (and other things) to return a true value for this request as well.
The better way of doing this is to not do it over an unencrypted HTTP request at all. Use an encrypted request to an IP address, and make sure you client can reliably authenticate your licensing server is who it says it is.
An easy solution is to setup an SSL sertificate on your HTTP server. Then make this request over HTTPS, and verify the server in the HTTPS request. This way, you don't even need to bother worrying if they tamper with the host file, since it will still not verify the SSL request.