[Gllug] Apache mod_ssl
Richard Jones
rich at annexia.org
Tue Aug 10 08:29:36 UTC 2004
On Mon, Aug 09, 2004 at 08:48:47PM +0100, ccooke wrote:
> On Mon, Aug 09, 2004 at 06:11:43PM +0100, Richard Jones wrote:
> > Or as long as someone doesn't silently break into your machine and
> > install a keylogger on your sshd ... It's marginally more secure if
> > you type the passphrase in on the console (goodbye remote
> > administration!), but even then there are perfectly plausible ways to
> > sniff keystrokes.
> And that kills any hope of automated system startup, which anything but
> a very small company will really want. Once you've got to that point,
> you might as well give up. It's possible to script it all from a more
> secure server - ssh out to the web server and start ssl from there - but
> then, if someone compromises the web server they can simply wrap around
> the startup scripts and get the passphrase that way.
Actually, the much derided "trusted computing" + some difficult
assumptions can solve this problem and much more. It can provide a
secure path from the keyboard or other device to the software. It can
also store keys in a secure place on the computer. The difficult
assumptions come about because you have to ensure that all the
hardware and software is tamper proof and provably bug free, but no
one's yet managed to do that with anything other than the most trivial
of systems.
Rich.
--
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
MONOLITH is an advanced framework for writing web applications in C, easier
than using Perl & Java, much faster and smaller, reusable widget-based arch,
database-backed, discussion, chat, calendaring:
http://www.annexia.org/freeware/monolith/
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list