如果用户可以解密web.config，那么加密它又有什么意义呢? [英] What is the point of encrypting web.config if user can just decrypt it?

问题描述

Oi，一些供应商告诉我的老板，不加密web.config是一个很大的安全漏洞.对我来说，这听起来像双层床.我的意思是，如果有人破坏了服务器，是不是我们还是搞砸了?

Oi, some vendor is telling my bosses that not encrypting the web.config is big security hole. This sounds like bunk to me. I mean, if someone compromises the server aren't we screwed anyways?

推荐答案

加密并不意味着您受到保护.解密所需的私钥存储在服务器上，因此，如果服务器受到威胁，则可以解密web.config.

The encryption does not mean that you are protected. The private key needed for decryption is stored on the server, so if your server is compromised your web.config can be decrypted.

我们仅加密web.config的连接字符串部分.它有助于防止其他人轻易访问我们的连接字符串，尤其是在开发环境(通常不如您的生产环境安全性)中.

We only encrypt the connection string section of the web.config. It helps prevent other prying eyes from easily accessing our connection strings especially in the development environment (which is often much less secure than your production environments).

加密只是分层安全性的一小部分.这绝不是保护您的敏感信息的最终解决方案.

The encryption is just a small piece to the layered security. It is by no means an end-all solution for protecting your sensitive information.

这篇关于如果用户可以解密web.config，那么加密它又有什么意义呢?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！