I want to respond back to d.code's post (at least to throw more info on the fire)
d. I love you to death, man!
Let me ask a couple questions. How big is your key? Because even if I can't get it I may still be able to get to the connection string even though it is encrypted through brute force or some other method. While to date, Rijndael has proved to be a very powerful encryption engine. Someday someone is going to figure out how to crack it quickly ("quickly" being a relative term... "quickly" could mean quicker than 100 years). There may be a bug in how .Net generates IVs that we don't know about. There could be any number of bugs in the encryption engine itself. The point is that we need to have several things that mitigate the situation. Sometimes relying on one mitigation could leave you totally hacked because you could have gone farther with minimal cost.
Am I saying that you are insecure and my idea is secure? Actually in terms of security you can only say what is more secure. For all I know there may be a bug in ASP.Net that by doing a couple things I can get the box to barf out the entire registry which means that my method doesn't seem all that great. Maybe a better solution is to create a file that lives in a different directory altogether (and not in the web space), but then what do you do with the file location.
The reality is how secure do you want to be? Or do you need to be? Maybe the registry is the wrong place. I've just seen too many things this week where they were able to read files off the box... I realize that much of what I've seen are straw men, but there was that web service bug that was implied to us at the XML Dev Con that seemed to imply that a malformed SOAP packet might be able to be contructed where it returned the contents of any file in the web space.
The other thing they have been preaching around here is least priviledge which I think that we do in our organization, but what if...
I know from this conference that my app has some glaring holes that I want to fix. (For those readers who don't know my app has gone through a couple penetration tests, and they've found nothing, but I know about some stuff that needs fixed).
We've all got to get better! Right now, we in the programming community are clueless! For instance, I had no idea what could be done with Cross Site scripting. It's evil. I now know how to exploit it, and it is freaking scary what you can do.
| posted on Thursday, November 11, 2004 5:15 PM