Last post Sep 18, 2010 11:07 AM by neurich
Sep 18, 2010 07:53 AM|jangwenyi|LINK
Should I worry if I have encrypted sensitive sections of my web.config file, like the database connection strings?
Sep 18, 2010 08:11 AM|mbanavige|LINK
If you have implemented the custom errors page indicated in the advisory and in scott gu's blog article here
Then the padding oracle attack would not work against your site.
Sep 18, 2010 11:07 AM|neurich|LINK
Provided you follow the instructions detailed in Scott's post, you will be protected, HOWEVER as an additional level of security, you should also consider moving your database connections to trusted connections (if possible). Failing that, use Protected
Sections in your web.config and encrypt the connectionStrings element, and machineKey element.
More details here: