I\'ve got an ASP Classic system that passes around sequential ids corresponding

Question

I've got an ASP Classic system that passes around sequential ids corresponding to keys in the database.

I had gotten an encryption module (chilkat, an activex control) that I was using to encrypt and decrypt entire querystrings.

However, since I do validate a user's right to access a particular resource (noted by an ID on the querystring), do I still need to do URL encryption? Would my site pass a security audit in this case?

(or more importantly, should I continue doing both or is access control sufficient)

Explanation / Answer

Encryption makes sense only if:

In your case, if you encrypt client-side, then this must be to protect against the server itself. However, if the server must be able to understand the data, in order to enforce filters, then the server must be able to decrypt it. Therefore, such encryption cannot protect the data against the server. The conclusion is that the encryption you are describing does not make sense: it provides no useful security property.

(Well, you might encrypt for another reason: to protect against eavesdropping in transit between client and server. But that would apply only if you do something stupid, namely not using SSL. The solution for stupid things is to stop doing them.)

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.