Forgive me if this is not the right forum and point to the proper one.<BR><BR>I&#039;m just about complete in developing a web site. It&#039;s a simple setup with an SQL Server, IIS, and a VB ActiveX DLL creating the ASP pages. The problem is the IIS server and the SQL server are both maintained by, what I&#039;ll call, a different entity than the people who will be using the data. The data is confidential to only the people using the web application.<BR><BR>I&#039;ve setup 128-bit SSL from the browser to IIS. I&#039;ve also setup RC4/MD5 encryption between IIS and the SQL Server. All data is encrypted on the SQL Server. I&#039;m using Microsoft&#039;s Base Cryptographic Provider v1.0 called from within the ActiveX DLL registered on the IIS server.<BR><BR>My question: Is this secure? Can some type of sniffer be placed on the IIS server and read the data as the DLL moves it from RC4 to SSL and visa versa? How strong is the RC4/MD5 encryption on the SQL Server? Since "they" have access to the data, they can copy the database and begin a brute force attack. How long would it take to crack RC4? The data needs to be confidential for exactly 4 years at which time I empty the database and begin anew.<BR><BR>Unfortunately, having our own hardware at our own location is not an option.<BR><BR>Thanks,<BR>A