Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
I assess software security for a living, but I almost missed this one.
<connectionStrings>
<add name="Conn" connectionString="server=server1; database=database1; Integrated Security=True" Encrypt="True"/>
</connectionStrings>
This connection string was being used in an application that stored confidential data in the database. The data should have been encrypted on the network (from the web server to the database server). I know that for an application to choose encryption for specific SQL connections, it has to set “Encrypt=True” in the connection string and this one was doing it… Or was it?
On closer inspection, “Encrypt=True” is outside the connection string! The data wouldn’t have been encrypted. This is how it should have been.
<connectionStrings>
<add name="Conn" connectionString="server=server1; database=database1; Integrated Security=true; Encrypt=True" />
</connectionStrings>