Sorry for my delayed reply (managed only to see your reply on the
Sourceforge archives since they don't do SRS and Gmail is now rejecting
your messages sent through them).
I'm also sorry that I wasn't more clear in my request. In my Groups
definition, I include external files like this:
[GROUP-CONSTANTCONTACT-IPS]
# include IP-Lists/IPS-constantcontact.com.cfg
For this example, the file IPS-constantcontact.com.cfg gets updated by a
little script that queries the IP's that constant contact uses, by doing a
recursive search of this provider's SPF record. It just puts the IP's in a
text file, ASSP detects the change, and uses them. GREAT and works nicely
for me. Now I'm noticing though that ASSP is also encrypted by ASSP
after loading them. Maybe it's always done this, but I've never noticed
this before the other day.
If this file were to be needed elsewhere, that would be a problem - of
course we could have the program that generates the file generate two, one
for assp that will be encrypted, the other for use by whatever other
program needs it.
I'm asking more out of curiosity than practicality at this point, but I
want to understand as much as possible.
I take security VERY seriously, but at the same time know that encrypted
config files can cause problem if you've got a disaster recovery situation
that you need to undertake. I like the idea of encryption in concept, but
if we're dealing with config files that are only accessible via a
compromised machine, we'd have bigger problems if they became
accessible... No?
> >so if we were going to use them elsewhere, we wouldn't be able to
>
> No - even such a encrypted file is also used in an unsecured config
> parameter, assp will know that and will decrypt the content.
>
> >1) When did encryption of external configuration files become the norm? I
> hadn't noticed this before.
>
> What are 'external configuration files'?
> There was never a V2 released without encrypted config parameters!
>
> >2) Is there a way to disable this option?
>
> No.
> Why?
>
> >3) Curious, what's the point of encrypting these files? if someone has
> access to the ASSP machine or file structure, encryption of these files
> won't do much of anything would it?.
>
> Encryped are all config parameters (and used files), if they may contain
> passwords.
> Encrypted config parameters are only visible to 'root' in the GUI
>
> >(change PW in ASSP.cfg and look at
> admin UI to see what's in the group file)
>
> Changing 'webAdminPassword' outside the GUI or SNMP will destroy all
> encrypted config parameters , hashes and database tables.
>
>
> Thomas
>
>
On Thu, Oct 20, 2016 at 9:11 PM, K Post <nntp.p...@gmail.com> wrote:
> Just noticed this:
> Oct-20-16 20:52:17 Info: file c:/ASSP/IP-Lists/IPS-gmail.com.cfg is now
> stored encrypted, because it is used in secured config Groups
>
> We programatically generate several lists in IP-Lists that are used in
> group definitions. It looks like they become re-encrypted after updating,
> so if we were going to use them elsewhere, we wouldn't be able to. That's
> okay, we can change the code that creates this lists.
>
> I do have little questions though:
>
> 1) When did encryption of external configuration files become the norm? I
> hadn't noticed this before.
>
> 2) Is there a way to disable this option?
>
> 3) Curious, what's the point of encrypting these files? if someone has
> access to the ASSP machine or file structure, encryption of these files
> won't do much of anything would it? (change PW in ASSP.cfg and look at
> admin UI to see what's in the group file).
>
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
