[Gllug] Apache mod_ssl

[Doug Winter]

will wrote:
> Just out of interest, how don't the passwords on certs improve the 
> security?  On the occaisions I have administered an SSL server cert 
> passwords have always been used.

the idea is that it stops someone who breaks into your computer from 
stealing the certificate, and then using DNS poisoning or some other 
technique to direct users of your website to their fake site, now 
running your real certificate, where they will then submit lots of 
lovely secret information like credit card numbers.

if this is a credible attack scenario for any of your sites, raise your 
hand.  no, thought not.

generally in real life the password is kept in a text file on the same 
machine, and then the password entering phase of server start up is 
faked using, as someone else said, some crappy perl script.  that is no 
more secure than no password at all, so it seems much simpler just to 
remove the encryption completely.

doug.

-- 
6973E2CF: 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF
http://adju.st/
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug