Good point.
However, any data which requires secure transmission should [also]
have been secured at the start of the conversation, as is the case
when using https. The problem with only using the viewstatemac setting
is that information (i.e. that contained in form variables) is sent as
part of the request to the server and naturally not encrypted. As
such, it is only the __VIEWSTATE field which is encrypted on the
server, which is then sent back to client as part of the response.
On Sun, 22 Feb 2004 00:35:16 -0500, UAError <> wrote:
>"Brunswick Lowe" <> wrote:
>
>>It's encrypted, though, right?
>>
>Is only encrypted if in the machine.config:
>
><machineKey validation='3DES' />
>
>
>Building Secure ASP.NET Applications
>Chapter 8: Page 187
>
>Securing View State
>
>If your ASP.NET Web applications use view state:
>- Ensure the integrity of view state (to ensure
> it is not altered in any way while in transit)
> by setting the enableViewStateMac to true as
> shown below. This causes ASP.NET to generate
> a Message Authentication Code (MAC) on the
> page’s view state when the page is posted
> back from the client.
> <% @ Page enableViewStateMac=true >
>- Configure the validation attribute on the
> <machineKey> element in Machine.config, to
> specify the type of encryption to use for data validation.
> Consider the following:
> - Secure Hash Algorithm 1 (SHA1) produces a larger hash
> size than Message Digest 5 (MD5) so it is considered
> more secure. However, view state protected with SHA1
> or MD5 can be decoded in transit or on the client
> side and can potentially be viewed in plain text
> - Use 3 Data Encryption Standard (3DES) to detect
> changes in the view state and to also encrypt it
> while in transit. When in this state, even if
> view state is decoded, it cannot be viewed in plain text.
Kline Sphere (Chalk) MCNGP #3
|
Similar Threads
