Board index » Web Programming » Encrypted Connection String and Security....Quick Question

esxmarkc

Encrypted Connection String and Security....Quick Question

Web Programming345
Hi,



Assume I have an asp.net/sql server 2000 web app in a shared hosting

environment. I then encrypt the connection string using

ProtectSection("DataProtectionConfigurationProvider") in the page load

of my default.aspx page.



Am I understanding the following concepts then correctly?



1. I upload the site to the shared hosting server.

2. The first time I run the app eg. www.whatever.com/default.aspx,

the ProtectSection method above is executed.

3. Now the conn string area of my web.config is encrypted, and

asp.net will decrypt as needed.



4. If someone were to hack the server and view the web.config --

whether via getting into the server or via ftp, they would see an

encrypted connection string.





Thanks very much!


-
 
Eliyahu

Registered User

Mon Feb 05 01:18:19 CST 2007

Re:Encrypted Connection String and Security....Quick Question

Why don't you put the encrypted string straight into the web.config before

uploading?



--

Eliyahu Goldin,

Software Developer & Consultant

Microsoft MVP [ASP.NET]

msmvps.com/blogs/egoldin">msmvps.com/blogs/egoldin





"Ranginald" <davidwank@gmail.com>wrote in message

Quote
Hi,



Assume I have an asp.net/sql server 2000 web app in a shared hosting

environment. I then encrypt the connection string using

ProtectSection("DataProtectionConfigurationProvider") in the page load

of my default.aspx page.



Am I understanding the following concepts then correctly?



1. I upload the site to the shared hosting server.

2. The first time I run the app eg. www.whatever.com/default.aspx,

the ProtectSection method above is executed.

3. Now the conn string area of my web.config is encrypted, and

asp.net will decrypt as needed.



4. If someone were to hack the server and view the web.config --

whether via getting into the server or via ftp, they would see an

encrypted connection string.





Thanks very much!







-
Ranginald

Registered User

Mon Feb 05 18:19:30 CST 2007

Re:Encrypted Connection String and Security....Quick Question

On Feb 5, 2:18 am, "Eliyahu Goldin"

<REMOVEALLCAPITALSeEgGoldD...@mMvVpPsS.org>wrote:

Quote
Why don't you put the encrypted string straight into the web.config before

uploading?



--

Eliyahu Goldin,

Software Developer & Consultant

Microsoft MVP [ASP.NET]msmvps.com/blogs/egoldin">msmvps.com/blogs/egoldin



"Ranginald" <davidw...@gmail.com>wrote in message



news:1170649747.955294.142490@v33g2000cwv.googlegroups.com...



>Hi,



>Assume I have an asp.net/sql server 2000 web app in a shared hosting

>environment. I then encrypt the connection string using

>ProtectSection("DataProtectionConfigurationProvider") in the page load

>of my default.aspx page.



>Am I understanding the following concepts then correctly?



>1. I upload the site to the shared hosting server.

>2. The first time I run the app eg.www.whatever.com/default.aspx,

>the ProtectSection method above is executed.

>3. Now the conn string area of my web.config is encrypted, and

>asp.net will decrypt as needed.



>4. If someone were to hack the server and view the web.config --

>whether via getting into the server or via ftp, they would see an

>encrypted connection string.



>Thanks very much!



I would do that but then I'd have to, as far as I know, encrypt it on

the local machine and then export the key. I have no command prompt

access on the shared hosting server, and from all I've read (msdn.

forums, articles, etc) the above way looks to be the most straight

forward.



Are the steps that I outlined correct, though?



Thanks!



-