Are you saying that you can break into the stuff an app stores on your machine 
with MS's Data Protection API (DPAPI)?  If this were backgammon, I would feel 
like I should "turn the cube" here.

At 02:07 AM 10/3/2006, Dominick Baier wrote
>If the code is running on the client there is no way to effectively protect
>the secret. If the application (running in the security context of the user)
>can decrypt it, a user can too (write a little app or even just use the
>aspnet_regiis tool).
>
>If you simply wanna "hide" stuff on the client this may be OK - but don't
>rely on it.
>
>Eliminating secrest (like moving to integrated auth) is much better than try
>to obscure it (which won't work anyway given a skilled and/or motivated
>attacker).
>
>
>
>
>cheers,
>dominick
>
>-----------------------------
>Dominick Baier, DevelopMentor
>http://www.leastprivilege.com


J. Merrill / Analytical Software Corp

===================================
This list is hosted by DevelopMentorĀ®  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

Reply via email to