Should i encrypt web.config on shared hosting?

views:

answers:

+2 Q:

Should i encrypt web.config on shared hosting?

Good day all. I've took out some .net hosting with web fusion but are fighting to get answers regarding their security set up.

Specifically i'm used to full trust enviroments as i work for a large utilities company.

Usually i would encrypt some / all of my web.config, this i cannot do on their medium trust IIS7 enviroment, nor will they let me install i RSA key specificically for my application.

So is my configuration file really that safe?, i have fears of someone stealing all my sensitive data from my database using the unencrypted connection string?

+2 A:

You are under a serious delosion thinking encrypting web.config helps. What aou are afraid of mostly is someone breaking into your account, and if I can replace your web application, the fact that the connection string is encrypted sort of is pointless as I HAVE TO HAVE access to the decryption key anyway.

So, I can, under any circumstance, always access the database anyway.

TomTom 2010-08-10 10:14:23

Hi TomTom, thanks for your prompt reponse.yes, this was what i seemed to think.The simplicity of the encryption etc does seem to remove its effectiveness. I also seem to remeber during my training in 2.0 some considerable time ago we all concluded that it wasn't much use.I've simply been trying to take the production release rules i have to adhere to at work, to my own small business.So if i'm already using strong passwords for my hosting account is this really an issue I can protect from at all, or is it all reliant on the hosting providers security measures?

Barbloke6 2010-08-10 10:25:03

You always have to rely on the hosting providers security measures. No other way. They control the servers ;)

TomTom 2010-08-10 10:28:00

Fair comment TomTom, thanks for putting my mind at rest

Barbloke6 2010-08-10 11:04:21

If you use shared hosting then there is an implicit trust realtionship between you and the hosting provider. They are the sys admins and they control the infrastructure and systems that host your application. If the security of your software and data is such that you do not wish to allow a third party to access them then you need to either get a dedicated server or a virtual server. That way you control the system from a security perpsective and their sysadmins cannot access your data so long as it is all encrypted. Encypting the config file on shared hosting is virtually worthless.

Ben Robinson 2010-08-10 10:29:30

Agreed Ben,The data i wish to keep isn't super secret (thats on a removable hard drive in my mattress ;) I'm also not particualry bothered about the sys admins being able to view the data etc.My worry is tech savvy competitors stealing my information to gain a competative edge.

Barbloke6 2010-08-10 10:38:43

Essentially what you are worrying about is people comiting a crime by hacking into your website and stealing data. The only people likely to do this are criminal hackers and not legitimate competitors. Ultimately this boils down to: do i trust my hosting provider to secure the systems better than i could. If the answer is yes then go for shared hosting, if the answer is no use some kind of dedicated or virtual server setup.

Ben Robinson 2010-08-10 10:46:27

ansaurus

tags:

views:

answers:

Should i encrypt web.config on shared hosting?

related questions