I have just been having a conversation with one of my colleagues who is a Sitecore certified developer about a Web.Config file in one of our live Umbraco solutions. The particular area of interest was the database connection string and the default Email credentials which by default are stored in the Web.Config file as plain text.
When I first started developing Umbraco websites, this was a huge concern to me as I came from a PHP background where everything is hashed and salted before going into production however after researching on 'Our' regarding how other people handle this issue I found that generally, people don't. Most people are going into production with these plain text passwords and credentials stored in their Web.Config file.
Surely, this is insecure right? At least that is what my colleague is arguing. According to others online, and some members of the Umbraco Core team, this is not the case. I've seen such quotes as "If people can see your Web.Config file which is never served to the public then you have bigger security issues than unhashed passwords". The problem is, most of these articles, quotes and snippets are from 2010 which is a long time ago now.
So my question is, what is regarded as Umbraco best practise for this sort of thing now in 2016?
I've seen a lot of general information online about using Powershell to run machine level encryption when the site is live however, often this tool is unavailable particulary why you have clients who can only afford shared hosting.
I know this is a very generalised question but any feedback or input would be greatly appreciated as my colleague wont accept my argument of 'this is how it is done in Umbraco unless you want me to modify the Core'.
I have to admit, I've not seen any definitive Umbraco specific guides, and as of yet, I've not tested the following advise to see if/how well it will work.
It is written by Scott Hanselman and provides some great advise. However, it does say (and it is a limitation in .net as far as I can tell) that it relies on machine keys for it's encryption. It also points out that if you are using Azure (and I'm guessing UaaS works using this principle) that connection string there are all stored in a protected manner.
Possibly not the answer you are after, but hope it helps.
Generally you don't need to encrypt credentials in the web.config file, as it is never public, which is specific to asp.net rather than just Umbraco. If an attacker has access to the web.config, they most likely have root access to your server, so as you mentioned, you'd have bigger problems.
I was once asked to make the connection string encrypted by a client, which I did by altering the core slightly, it wasn't difficult, but then you're off the upgrade path (unless you remember to re-implement it on upgrade), so I wouldn't recommend it unless you have to.
Secring connection string and Email passwords in Web.Config
Hi all,
I have just been having a conversation with one of my colleagues who is a Sitecore certified developer about a Web.Config file in one of our live Umbraco solutions. The particular area of interest was the database connection string and the default Email credentials which by default are stored in the Web.Config file as plain text.
When I first started developing Umbraco websites, this was a huge concern to me as I came from a PHP background where everything is hashed and salted before going into production however after researching on 'Our' regarding how other people handle this issue I found that generally, people don't. Most people are going into production with these plain text passwords and credentials stored in their Web.Config file.
Surely, this is insecure right? At least that is what my colleague is arguing. According to others online, and some members of the Umbraco Core team, this is not the case. I've seen such quotes as "If people can see your Web.Config file which is never served to the public then you have bigger security issues than unhashed passwords". The problem is, most of these articles, quotes and snippets are from 2010 which is a long time ago now.
So my question is, what is regarded as Umbraco best practise for this sort of thing now in 2016?
I've seen a lot of general information online about using Powershell to run machine level encryption when the site is live however, often this tool is unavailable particulary why you have clients who can only afford shared hosting.
I know this is a very generalised question but any feedback or input would be greatly appreciated as my colleague wont accept my argument of 'this is how it is done in Umbraco unless you want me to modify the Core'.
Thanks in advance.
J
Hi Jason,
I have to admit, I've not seen any definitive Umbraco specific guides, and as of yet, I've not tested the following advise to see if/how well it will work.
http://www.hanselman.com/blog/BestPracticesForPrivateConfigDataAndConnectionStringsInConfigurationInASPNETAndAzure.aspx
It is written by Scott Hanselman and provides some great advise. However, it does say (and it is a limitation in .net as far as I can tell) that it relies on machine keys for it's encryption. It also points out that if you are using Azure (and I'm guessing UaaS works using this principle) that connection string there are all stored in a protected manner.
Possibly not the answer you are after, but hope it helps.
Nik
Hi Jason,
Generally you don't need to encrypt credentials in the web.config file, as it is never public, which is specific to asp.net rather than just Umbraco. If an attacker has access to the web.config, they most likely have root access to your server, so as you mentioned, you'd have bigger problems.
I was once asked to make the connection string encrypted by a client, which I did by altering the core slightly, it wasn't difficult, but then you're off the upgrade path (unless you remember to re-implement it on upgrade), so I wouldn't recommend it unless you have to.
is working on a reply...