Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0
This is the forum to discuss the Wrox book ASP.NET 2.0 Website Programming: Problem - Design - Solution by Marco Bellinaso; ISBN: 9780764584640
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old February 1st, 2007, 12:13 PM
Registered User
 
Join Date: Jan 2007
Location: , , .
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default can the hosts look at our source code?

i just found out that the administrator in my web hosting company had looked at my source files. that means he will know my database password too. i really don;t feel comfortable about it. it it a normal practice for web hosts to do that?

  #2 (permalink)  
Old February 1st, 2007, 12:27 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

.... I am not sure I understand. Are you using Visual Studio to create your applications? If you are, there is no need to upload your source files, just your aspx pages and the compiled .dll, effectively closing your code to prying eyes.

Do you own the boxes your site is hosted on or are they shared servers? This makes a big difference because if you own the boxes and just have them at a data center, then that is a huge problem if one of their admins are getting on your box without your permission.

If you are on a shared box, meaning the hosting company owns the box, there is nothing you can do about it really. THEY own the server and are the administrators of that box and can do anything they wish really. Also, if you are using a SQL Server that, again, is on a box they own they do not need to go through your code to get your password and such...they have admistrator rights to the entire box and hence the SQL Server.

hth.



================================================== =========
I will only tell you how to do it, not do it for you.
Unless, of course, you want to hire me to do work for you.
================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
  #3 (permalink)  
Old February 1st, 2007, 12:39 PM
Registered User
 
Join Date: Jan 2007
Location: , , .
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

but does that mean we all have to encrypt configuration files like web.config?

  #4 (permalink)  
Old February 1st, 2007, 12:53 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

If you are running into this problem and that is where your connection string is stored, yes it would be a good idea to encrypt it.

Like I said though, if you are on shared hosting, the Admin doesn't need to look at your source code to access your database.

================================================== =========
I will only tell you how to do it, not do it for you.
Unless, of course, you want to hire me to do work for you.
================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
  #5 (permalink)  
Old February 1st, 2007, 12:54 PM
Authorized User
 
Join Date: May 2006
Location: , , .
Posts: 99
Thanks: 0
Thanked 1 Time in 1 Post
Default

While it is not commonplace, administrators are responsible for the operation of the network and will occasionally look at files if they think something may be a factor in the performance of the network.

I'd not be concerned about an administrator seeing your password because they really don't need it and are concerned about their reputation. An apartment building manager doesn't need an apartment owner's key when he has the master key.

  #6 (permalink)  
Old February 1st, 2007, 01:17 PM
Registered User
 
Join Date: Jan 2007
Location: , , .
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

points taken but my database contains some very sensitive infomation and that makes me uneasy that someone else can access, and make a copy of my database if he wants to. i guess i just have to live with it.

  #7 (permalink)  
Old February 1st, 2007, 01:24 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Mythical makes a good point, their rep is online. Can they copy your database, ya sure they can, are they going to, probably not.

================================================== =========
I will only tell you how to do it, not do it for you.
Unless, of course, you want to hire me to do work for you.
================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
  #8 (permalink)  
Old February 1st, 2007, 01:29 PM
Authorized User
 
Join Date: Jan 2007
Location: , , .
Posts: 63
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I guess the best option, other than just plain buying your own personal server(s), would be to use hashing encryption for sensitive passwords etc in your database. Not even you will be able decipher the hash-stored items.

  #9 (permalink)  
Old February 3rd, 2007, 09:19 PM
Friend of Wrox
 
Join Date: Jun 2003
Location: Atlanta, Georgia, USA.
Posts: 917
Thanks: 0
Thanked 0 Times in 0 Posts
Default

SQL 2005 has an encryption option. But you have to modify the SQL to use it, so it's not terribly easy to use. Oracle's encryption doesn't require any changes to the SQL, so maybe Microsoft has some room for improvement.

Eric

  #10 (permalink)  
Old February 6th, 2007, 10:09 PM
plb plb is offline
Authorized User
 
Join Date: Jan 2007
Location: Oakland, CA, USA.
Posts: 94
Thanks: 0
Thanked 0 Times in 0 Posts
Default

When I was young and waiting to go into the army I worked for a while at the phone company. Late at night I would amuse myself by listening in on random phone conversations. No fancy NSA technology. I just put the alligator clips on a pair of leads and listened on my headset. When I went downtown I probably could have done that for the White House too - but I was too scared.

The point is a lot of technical security is an illusion. If your data is in somebody else's machine in somebody else's building it is in technical jeopardy. However, my house is in technical jeopardy too from anyone with a rock to break a window. I am protected from burglars by law and police not by my window glass. Similarly social constraints (law, business reputation, etc.) are what really protect your data.

Web hosting is a highly competitive business even a whisper about data hanky panky would be taken very seriously by any vendor with a sense of self preservation. I know the phone company would have fired my ass in a New York minute if they had ever found out I had been doing.

 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
monitoring remote hosts on JMeter guyabsconding BOOK: Expert One-on-One J2EE Design and Development 1 January 4th, 2015 04:56 AM
Exceptions in Custom Hosts HectorVictorious BOOK: Professional Windows PowerShell Programming ISBN: 978-0-470-17393-0 0 November 20th, 2008 01:45 PM
what do we mean by virtual hosts ? deepak Apache Tomcat 2 June 22nd, 2008 02:52 AM
mod_jk Load Balancing and Virtual Hosts dfwjava BOOK: Professional Apache Tomcat 0 October 17th, 2007 06:12 PM
Apache + Tomcat on different hosts? enigmasoldier BOOK: Professional Apache Tomcat 1 October 3rd, 2005 10:40 AM



All times are GMT -4. The time now is 10:13 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.