.NET Security Blog

This question comes up every so often on the public newsgroups, so I thought I'd write out an explanation here. When you try to round trip encrypted data through plain text (for instance, take the encrypted data and put it into a text string), you need...

My first lead at Microsoft, from way back in the summer of 2001 when I was an intern, was featured on MSDN TV last week giving a basic introduction to CAS, and discussing how it applys to managed code developers. You can find the show here .

Earlier this week, I posted about using cipher references to refer to data stored in the same document. Today I'll use the same technique, but instead of storing the encrypted data elsewhere in the document, I'm going to store it on a seperate server...

Denis Piliptchouk has written a four part series comparing .NET and Java security on O'Reilly's OnJava site. Part 1 - Security Configuration and Code Containment Part 2 - Cryptography and Communication Part 3 - Code Protection and CAS Part...

Most users of encrypted XML will encrypt their data and embed the resulting cipher value directly into the EncryptedData element, using a CipherValue tag. However, XML encryption also supports the use of CipherReferences, which allow you to place the...

Although this is kind of old news, you can check out Sebastian Lange (CLR Security PM) and Ivan Medvedev (CLR Security Test Lead) giving a talk about new features in security for our Whidbey release. This is a video and slideshow from the presentation...

There was quite a bit of discussion about ClickOnce on the .Net Rocks show earlier this week. You can listen here: http://perseus.franklins.net//DotNetRocks_0047_Brian_Noyes.wma . The discussion starts at about 14:00 and ends around 31:00.

I've gotten some comments about my XML Digital Signatures entry, pointing out that since I chose to embed the signing key into the document, nothing is preventing anyone from simply removing the signature, modifying the document, and then resigning with...

The PDC build of Whidbey and Longhorn do not provide a great mechanism for handling errors in ClickOnce manifests and other similar activation issues. Often if there is a problem activating a ClickOnce application, you'll only get a simple error dialog...

The GotDotNet blogs are being frozen, so I'll be moving my blog over to the ASP.Net site.  You can find the new location at http://blogs.msdn.com/shawnfa

Using XML encryption to encrypt payment information...

A first look at permission elevation...

Creating and Verifying Enveloped Signatures...

Sample code for custom security objects...

Here's another ClickOnce article to come out of the PDC: ClickOnce to Debut in Whidbey .  This one is also pretty high level, and doesn't touch much of the security aspects.

MSDN is hosting a sample chapter from Douncan Mackenzie's upcoming book Essential ClickOnce .  Although the chapter doesn't go into the security aspects, such as Permission Elevation or TrustMangers, its still an interesting read. http://msdn...

Avoiding security exceptions that occur when you try to provide extra trust based upon strong name or X509 certificates...

How to modify your security policy to make your application work from the LocalIntranet zone...