Catch the security flaw: Configuring encryption from Web Server to SQL Server

  • Article

I assess software security for a living, but I almost missed this one.

<connectionStrings>

    <add name="Conn" connectionString="server=server1; database=database1; Integrated Security=True" Encrypt="True"/>

</connectionStrings>

 

This connection string was being used in an application that stored confidential data in the database. The data should have been encrypted on the network (from the web server to the database server). I know that for an application to choose encryption for specific SQL connections, it has to set “Encrypt=True” in the connection string and this one was doing it… Or was it?

On closer inspection, “Encrypt=True” is outside the connection string! The data wouldn’t have been encrypted. This is how it should have been.

<connectionStrings>

    <add name="Conn" connectionString="server=server1; database=database1; Integrated Security=true; Encrypt=True" />

</connectionStrings>