« Opinion about federal regulations for strengtening information security | Main | ViewStateUserKey issue revisited »

The layered approach to internet security

One of the most fundamentally sound approaches to securing anything: your country, your house, your wallet, even your Web site, is the layered security approach. It simply means don't rely on a single defense, instead put several layers so that if one gets penetrated, there is the next one to protect you. Sounds good. Now, back to reality.

Try to implement such an approach using the latest ASP.NET 2.0 with the corresponding dev tools and you may run into a disappointing issue. Microsoft has introduced the ViewStateUserKey property to enable the IIS/ASP.NET 2.0 server to distinguish legitimate requests from fraudulent attempts. Put this mechanism under SSL and you have layered security for your Web site. Almost. It turns out this actually does not work on Web forms with reasonably complex controls: some JavaScript code or AJAX animation. In other words, precisely the kind of pages hackers prefer to hack. It turns out there is a bug in Visual Studio 2005 that messes this up and the server-side verification fails. Microsoft spoke last year of fixing this bug soon but it apparently still is not fixed in SP1 for Visual Web Developer Express.

So much for layered security. Rely on SSL for now and hope the software giant will come up with a fix soon.


TrackBack URL for this entry:

Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)