note afoken <blockquote>sections in the config file to store sensitive content that must be encrypted ie the connection string and must be decrypted by the application.</blockquote> <p>This may give you a warm fuzzy feeling that you have used encryption and so everything simply just <b>must</b> be safe.</p> <p><b>But</b> this is just a little annoyance for anyone trying to get the data: The application must contain the decryption code, and it must contain the decryption key. Both can be extracted, and with the addition of a few simple print statements, you can see the "protected" information in plain text. If the decryption code is burried in the runtime environment, things become even easier for an attacker: Just find the key, call the runtime environment's decryption routine in your own ten line script, and print what it returns when processing the "protected" information.</p> <p>Oh, and I almost forgot: How does it help to encrypt information in a config file that are afterwards transmitted in clear through the network, e.g. when connecting to a MySQL or FTP server?</p> <p>Alexander</p> <div class="pmsig"><div class="pmsig-747201"> --<br> Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-) </div></div> 766845 766896