Well, since I believe the default encryption method for web.config files uses the machine key...
There is a method to encrypt with a separate RSA key, but I'm under the impression that the standard a lot of people use is the machine key method...
So I guess that web.configs encrypted with the machine key are vulnerable to decoding in a coordinated attack with this exploit. Good to know. Guess I feel better about completely disabling WebResource and ScriptResource for my MVC apps.
i8beef
Member
69 Points
45 Posts
Re: Is MachineKey compromised or does this just allow forgeries?
Sep 22, 2010 03:43 AM|LINK
Well, since I believe the default encryption method for web.config files uses the machine key...
There is a method to encrypt with a separate RSA key, but I'm under the impression that the standard a lot of people use is the machine key method...
So I guess that web.configs encrypted with the machine key are vulnerable to decoding in a coordinated attack with this exploit. Good to know. Guess I feel better about completely disabling WebResource and ScriptResource for my MVC apps.