Ch 9-Sending Email-Encrytping web.config

btcomp · August 27th, 2010, 07:38 PM

I did the assignment on p319 a week ago after Imar mentioned it to me in a previous post. Imar's post Aug 13, 2010

I did the exercise a week ago and successful on my own localhost server. I want to try and put on my GoDaddy hosting. Now the web.config file is supposed to be unaccessible to people with no access to my server files. However, some have mentioned using an encrypted web.config file?

http://ondotnet.com/pub/a/dotnet/200...onnstring.html

http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

I might be a bit paranoid, but I think it would pay to at least encrypt the passwords!

Imar · August 28th, 2010, 04:02 AM

Not sure what this post is about. Are you asking a qustion, or merely documenting your progress?

Imar

btcomp · August 28th, 2010, 07:07 AM

Well actually, a bit of both. I try to put down the chapter and pages, or at least keep the key idea in the title.

But I have raised a very valid point. The exercise on page 319 raises a security issue. When you put your login information in any file on a server (and unecrypted) you raise the possiblity of it being exposed to anyone who can get access to your server.

One person raised the concern that you might change the extension say from web.config to web.txt and then anyone who entered www.yourdomain/webconfig.txt in the URL is going to get the text of this file.

Granted you can't get the web.config contents by just requesting the URL, but as some of the links I have looked at it isn't an impossibility!;-)

btcomp · August 28th, 2010, 04:37 PM

Quick note on my post. I don't believe GoDaddy supports encrypting because of shared hosting. I will just have to be careful with passwords in config.web file and probably good idea to change them often. If it is a mission critical company you would have a dedicated server and then encrypting would be easier and a good thing to do.