Are you saying that you can break into the stuff an app stores on your machine with MS's Data Protection API (DPAPI)? If this were backgammon, I would feel like I should "turn the cube" here.
At 02:07 AM 10/3/2006, Dominick Baier wrote >If the code is running on the client there is no way to effectively protect >the secret. If the application (running in the security context of the user) >can decrypt it, a user can too (write a little app or even just use the >aspnet_regiis tool). > >If you simply wanna "hide" stuff on the client this may be OK - but don't >rely on it. > >Eliminating secrest (like moving to integrated auth) is much better than try >to obscure it (which won't work anyway given a skilled and/or motivated >attacker). > > > > >cheers, >dominick > >----------------------------- >Dominick Baier, DevelopMentor >http://www.leastprivilege.com J. Merrill / Analytical Software Corp =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
