All geek questions in one place

What is the meaning of web.config encryption? ASP.NET

Oi, some vendor tells my bosses that not web.config encryption is a big security hole. It sounds like a bunk to me. I mean, if someone compromises the server, are we still not screwed up?

+4
source share
4 answers

Encryption does not mean that you are protected. The private key needed for decryption is stored on the server, so if your server is hacked, your web.config file can be decrypted.

We only encrypt the connection string section in the web.config file. This helps prevent other prying eyes from accessing our connecting lines, especially in a development environment (which is often much less secure than your production environments).

Encryption is just a small part for multi-level security. This is by no means the final decision to protect your confidential information.

+4
source

Like @Joelt, ASP.NET has recently had a security issue that allowed people to access files on the root network, etc. Now this problem could exist for a long time. Besides, now there may be a secret flaw that no one knows about, except for some Lithuanian punks ... which means that we are all vulnerable now. I mean, until the ASP.NET team (and the security people a week or two before them) announces that the previous error ... how long has it been in the wild? How many people exploited this?

So - that’s the general idea. If for some reason there is a flaw - people can remotely access files, including web.config, then your data may be known.

Now it's a kicker. So, someone can find out about my database name, DB ip addy and DB password. Right? but they need to access my internal db ... so good luck there. BUT, can my web.config have my twitter user password? (Only the light is on!). My third username / password is api. and etc.

This is the real security issue, IMO.

I would really like if you recognized my twitter username / password companies and then started to deform our Twitter account.

+5
source

ASP.net introduced a recently released security hole that would allow a remote user to access any file in the root directory of a website, including web.config, without access to the entire server. In addition, the web.config file may contain login information that allows one server to be compromised to compromise another.

+2
source

Grade. In my case, I accept a hosting account. Thus, many people have access to my account and files stored there.

Personally, I'm not too worried about this. But, if someone had a mind, they could access this information. And even if you own a server, if it is a company, then there may be many people who have access to it.

For critical data, encryption makes sense.

+1
source

Source: https://habr.com/ru/post/1332049/

More articles:


All Articles