I plan on running two applications thru my service with Winhost - my website and a Windows application; and both apps interface with my database. I need each connection string encrypted to prevent my connection information from being viewed by whomever... How do we get this done?
Unfortunately at this time we do not offer encrypted connection strings. You can encrypt the data itself but not the connection string.
Okay, I don't get it?? Why wouldn't you allow for the connection string being encrypted? Without it, wouldn't that expose your servers to a security breech as well as my site to the same vunerability?
Its the inherent challenges when setup as a shared hosting environment. As a dedicated server it is much simpler, but then you will have to pay for the price of having a dedicated server. We ourselves do not offer dedicated hosting, only shared hosting.
So am I correct in my assertion that - if I go with this arrangement, I am in fact exposing my service to security vunerabilities?
If you upload your website to our server and your website makes a call to our SQL server, then no you are not exposing any security vulnerabilities. That is because the calls that your web page is making that is hosted on our server to our SQL server is on the same network and does not get pass throughout the Internet. It stays within the local area network. Therefore the connection string is secure because no one sees it.
Thanks for clearing that point up for me Ray. I was starting to get worried that I had made a bad decision coming to Winhost.
Hi, pardon me for coming up with this again... I am using the Connection String as provided in DBManager: "Data Source=tcp:s03.Winhost.com;Initial Catalog=MyDB;User ID=MyUserID;Password=******;Integrated Security=False;" My Service works and returns the DB results as needed. So even if i use the connection String exactly with the same format i could use it to connect the DB directly from my desktop-pc, it does not show up in public when used within my WinhostService to connect the WinhostDB? Thanks in Advance for clearing me up Hope you all have some nice holidays, Michael
No. If you upload your website to our server and that website that is uploaded to our server makes a call to our SQL server then the connection string is never passed through the Internet. It stays in the local area network (LAN). Now, if you have a website or a program on your computer and it makes a call to our SQL server then the connection string will be passed through the Internet. Remember, your computer is not on Winhost Local Area Network, only Winhost web server is on the Local Area Network. That is why when your program that is on your personal computer makes a call to our SQL server it has to pass through the Internet to connect to it.
(Oops, I see Ray and I were typing at the same time...I'll leave this here anyway.) Theoretically your connection string, usernames, passwords, etc. could be compromised when connecting to anything from your local computer. That's why the original poster was asking about encryption. In actual practice though, that is unlikely to happen unless your local computer has been compromised with a virus or a root kit or some similar method to place a keylogging program onto your system. What the people who spread such viruses are looking for are typically a few things; 1) Financial information - your banking logins, 2) Email logins - so they can send spam using your accounts, and 3) FTP logins, so they can add files to your site that help them send spam or provide images or landing pages used in spam. Your database login can be used to add an iframe redirect to your site pages, if your site's pages are generated from a database (such as most blogs, etc.), but that is far less common. Generally speaking, if your local system is secure you don't have to worry about your connection string going out into the open. Is it secure? No, it isn't. But it's uncommon for anyone to capture your information that way these days. It's much more efficient (and much, much easier) to infect your local system and log all of your keystrokes.
I, too, am concerned about security. I’ll use an encrypted connection between my local PC and the database, and I’ll use FTP with SSL to upload my application (including connection string). But then what? Will anyone other than Winhost’s I.T. have access to my database or connection string? If I’ve got sensitive info (like credit card info) in my database, is there any way I can keep Winhost’s I.T. out as well?
What can we say, to properly manage and secure your database there is some level of access with any IT staff. Even if you choose a dedicated server the IT staff that manages the server directly will have a level of access to it. That is the biggest debate today in the IT department. Even if you manage your own server the IT staff will have access to sensitive information, and if they leave on bad terms than what? All I can say on our end, every staff only has the minimum necessary access to perform their job. And we all have to read, know, and adhere to the privacy, security policies we set in place. Infact, some of our customers often get frustrated because our security/privacy policy is too strict and not flexible enough. Oh well it's better to error in the side of caution. We can't please them all.