another question about encrypting web.config sections

K

Keith G Hicks

I added a page to my site (in a secure folder that only my login has access
to) that lets me (and only me) encrypt or decrypt the web.config at will.
Ok, so far so good.



What I don't understand is that if a hacker can get to my web.config,
certainly he could probably get to my encrypt/decrypt page and run the
decrypt button. If I delete that page from the site, so what? Anyone who
knows this stuff could put a similar page up there.


I really don't see the point of all of this. It seems like locking your
front door but leaving the key on a nail near the door knob. I must be
missign something. Can anyone shed some light on this for me? It seems so
full of holes.



Thanks,



Keith
 
D

Dominick Baier

Well - there are two different threat models

- reading data on a machine
and
- executing code on that machine

the latter is obviously much harder.

The purpose of protected config is to protect you against threat #1.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top