This article describes in detail which security protocols and encryption algorithms are used by SolarWinds Web Performance Monitor and the WPM Player.
WPM uses remote players for the playback of transactions. Communication to and from players uses the standard HTTPS protocol by default. It is possible to switch the protocol to non-secure HTTP manually through the configuration files.
Communication Protocol: HTTPS
WPM players save all received recordings in a local database. Recordings are saved in plain XML with encrypted passwords and key-press actions.
This sensitive information is encrypted using Triple-DES encryption through Microsoft's .NET Framework ProtectedData class. The key used for encryption is unique to each computer ensuring that data cannot be decrypted on a different machine.
Encryption: Symmetric Triple-DES (168bit)
Credentials in recordings that are saved in main WPM database are encrypted using X.509 certificate asymmetric RSA encryption (X.509 is an ITU-T standard for a Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm). A certificate for this encryption is generated during the installation of WPM and is stored on the WPM server. Data cannot be decrypted without access to this certificate.
Encryption: X.509 Certificate Asymmetric RSA
WPM allows the exporting of recordings that are saved as individual files. By default, these files are plain XML with encrypted passwords and key-press actions. This data is encrypted using AES encryption with a 256-bit WPM specific key. To provide another level of security, the user can specify a password during the export operation to encrypt the entire recording. This additional encryption step uses AES encryption using the user-defined password. The recording can be decrypted only by using the same user-defined password.
Encryption: Symmetric AES 256bit (Advanced Encryption Standard (AES), the block cipher ratified as a standard by the National Institute of Standards and Technology of the United States.)