Eric, there’s a lot of confusion in the area of cryptography and security.
I think even the suggestions were good, but I believe there could be serious flaws there.
Getting the MAC doesn’t seem like a good solution.
The answer to security questions (and nonencryption) always start like this?
How desirable is my application and my data? Would it be worth stealing my code and database? If so, how much time and resources would be worth "investing in"? Example: Do you store passwords without encryption, card data or confidential user information? If so, you should be very worried.
Based on the above answer, what kind of people would try to steal my information?
They would be interested in my algorithms or in my database?
If your answer is that data is desirable enough for high-ranking criminals, you can be sure that MAC encryption is not the solution. Many of the available servers use virtual machines, which would be really very easy to clone physical Macs.
The truth is that the question you asked is the same question asked by security companies around the world, and yet they continue to fall under attack. I say this because the issue is really serious. It is not difficult to get a code . NET and "decompile". There are code obfuscators. They can disguise the logic of your application very well, but not the security (encryption) you use. They don’t have the power to change their passwords... just try to hide them somewhere better.
The simple answer, you are not safe in any way by hosting your website on an information provider other than your own. However much the security on the server is, in general the key is to try to use your access password. Having your own requires skilled professionals in the field, but it ends up being much easier.
Going back to the questions above, if what’s most valuable is your code, invest in it. Use ways to obfuscate (.Net Obfuscator?). To have a slightly simpler control, you could a site with fixed IP and that is not shared with other applications on the same server (strange, but it would not be impossible for someone to host another site on the same server and get the IP response). Hence every time your system starts, you could check which is your current IP by asking external and internal servers for your IP. Your external server would be able to reliably verify if the IP of the call is that of the servers at your fingertips.
That’s when cryptography finally comes in. You could send an encrypted reply authorizing the execution of your application. Remember to constantly change the key to your encryption over time (every 1 month or so), deploying to your clients, updating both your external server and your applications. Even if someone could take possession of every arsenal to "copy" their code, they would not be able to decrypt the sequences in time for a new deploy.
If the important information is in the database, the conversation needs to be completely different.
I disagree only on the part about obfuscation, but otherwise +1, and this should be the answer marked as correct.
– Oralista de Sistemas
Excellent answer! Very good indeed. Nowadays there is no way to be 100% safe. But answering the questions. Not that my system is a gold mine. Far from it. I don’t keep such sensitive information that way. Just a system of occurrences with your students and users. Only. My intention is only to protect the project from intentional theft of my code so that another place uses it as if I had sold it. The question is just that. After deploying, the person can’t get my code from the Inetpub folder, copy and paste it into another IIS server. But congratulations, very good answer !
– Érik Thiago