Menu
Oi, some vendor is telling my bosses that not encrypting the web.config is big security hole. This sounds like bunk to me. I mean, if someone compromises the server aren't we screwed anyways?
757
config. It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.
Use HTTPS to protect data relating to financial transactions, personally identifiable information or any other sensitive data, as well as to avoid having browsers flag your site as insecure. HTTPS enables website encryption by running HTTP over the Transport Layer Security (TLS) protocol.
Decryption is a Cyber Security technique that makes it more difficult for hackers to intercept and read the information they're not allowed to do. It is transforming encrypted or encoded data or text back to its original plain format that people can easily read and understand from computer applications.
In simple terms encryption is the process through which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps protect private information, sensitive data, and can enhance the security of communication between client apps and servers.
Like @Joelt suggested, ASP.NET had a security issue semi recently that allowed people to access files in the root web etc. Now, this issue could have existed for a long time. Alternatively, there could be a secret flaw right now that no one knows about except some leet punks ... which means we're all vulnerable right now. I mean, until the ASP.NET team (and security people a week or two before them) announced that previous flaw ... how long was that out in the wild? How many people exploited that?
So - that's the general idea. If for some reason a flaw exists - where people can remotely gain access to files - including web.config - then your data could be known.
Now - the kicker is this. So .. someone might find out about my DB name, DB ip addy and DB password .. right? but they need to access my internal DB ... so good luck there. BUT, my web.config might have my twitter username password in there? (Ding! light just turned on). My 3rd party api username/passwords. etc.
THAT is where the real security issue lies, IMO.
I'd hate it if u learn my companies twitter username/password and then start defacing our twitter account.
102
The encryption does not mean that you are protected. The private key needed for decryption is stored on the server, so if your server is compromised your web.config can be decrypted.
We only encrypt the connection string section of the web.config. It helps prevent other prying eyes from easily accessing our connection strings especially in the development environment (which is often much less secure than your production environments).
The encryption is just a small piece to the layered security. It is by no means an end-all solution for protecting your sensitive information.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
