0

The transfer of encrypted data or encryption systems from the US to foreign nations is tricky business as encryption can be categorized as a munition and can be governed by US export laws.

I plan to be starting a website that will contain multiple encryption algorithms written in Javascript. I do not want these js files to be distributed to anybody with an IP outside of the US as I feel I might be breaking export laws (the servers, at least in the beginning, will be in the US). I know there are plenty of ways to spoof IP to get around this but I feel this is the best kind of restriction I could realistically implement and that it would prove intent not to transmit out of the country (due diligence).

For various reasons I do not want to encrypt anything server side. That is out of the question.

I could write up some server side code to geocode the IP address and either return the JS or not but I'm thinking there might be some configuration setting I can set in IIS. I don't want to rewrite the wheel if something already exists.

Can IIS be configured to restrict access to certain files based on IP address and geocoding? Am I being too paranoid?

Corey Ogburn
  • 290
  • 1
  • 3
  • 13

1 Answers1

1

You could use IIS's "IP Address and Domain Restrictions", but your list of IP ranges for either deny list, for outside US, or allow, for inside US, will be rather large and will have to scanned for every request. If you don't expect high traffic, then it might not be an issue.

There is no geoip capabilities out of the box in IIS, you'd have to hit some geolocation service from a HttpModule in your app and may be cache your lookups for some time for the same IP's or IP ranges.

Why not host these js files on Azure Storage or AWS S3 in non-US region? You will not be "exporting" anything from US, just merely referencing them from elsewhere?

andryuha
  • 297
  • 2
  • 8