This topic has 0 replies, 1 voice, and was last updated 3 years, 9 months ago by MSPControl.

  • Author
  • #4737

    A long standing and insecure design of all existing versions of Websitepanel and all other derivatives including MSPControl prior to latest build is the use and existence of the Cryptokey System which lives in the Web.config of the enterprise server. This Cryptokey if taken along with a CSV export of the database by an attacker could potentially allow the attacker to decrypt the entire database in a simple way, which would expose the hoster and all of it’s clients critical passwords and other sensitive data that is stored in the process of using MSPControl. Websitepanel, Derivatives and MSPControl have relied on the Cryptokey system to allow decryption of first generation (non-standard) AES based encryption which can also be exploited. The encryption used was developed prior to the acceptance of the standard for AES. In the latest version of MSPControl we have eliminated the need for using the Crypto-Key at all, allowing you to use SQL Encryption in it’s place. SQL Encryption offers us AES256 encryption using a complex Master-Key Certificate based Encryption that allows us to store the Recovery key Off-Premise from the server. The Private key is stored in a way that only makes it possible to decrypt the hashes ONLY if you are sitting on the Server itself, or have access to the backup Master-Key and recovery password. This is a significant increase in security which puts MSPControl database Encryption to a method which is the securest possible option we can currently see that works for everyone without any cost incurred. We suggest that you convert to SQL Encryption as soon as possible. At the current moment it is possible to convert to SQL Encryption but we lack some of the management abilities around Master-Key and the process is not the most beautiful thing, but it’s possible so we want to let everyone know it can be done now with some efforts, by the end of the week the process will be much easier as it’s refined. We are also still using Crypto-Key for new installations, but this will also change over the course of the week in favor of SQL Encryption.

    We recommend anyone using a version of MSPControl or Websitepanel prior to current build to update and implement SQL Encryption in the place of the current system. Please BACKUP YOUR DATABASE Prior to attempting this, it can cause Data Loss if done incorrectly.

    2 people like this.
    Please wait...
Viewing 1 post (of 1 total)

The topic ‘MSPControl impelments SQL Encryption to move away from Cryptokey System’ is closed to new replies.

©2020 MSPControl | Privacy Policy

Log in with your credentials


Forgot your details?

Create Account