[Gllug] Apache mod_ssl
doug at pigeonhold.com
Mon Aug 9 16:18:53 UTC 2004
> Just out of interest, how don't the passwords on certs improve the
> security? On the occaisions I have administered an SSL server cert
> passwords have always been used.
the idea is that it stops someone who breaks into your computer from
stealing the certificate, and then using DNS poisoning or some other
technique to direct users of your website to their fake site, now
running your real certificate, where they will then submit lots of
lovely secret information like credit card numbers.
if this is a credible attack scenario for any of your sites, raise your
hand. no, thought not.
generally in real life the password is kept in a text file on the same
machine, and then the password entering phase of server start up is
faked using, as someone else said, some crappy perl script. that is no
more secure than no password at all, so it seems much simpler just to
remove the encryption completely.
6973E2CF: 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF
Gllug mailing list - Gllug at gllug.org.uk
More information about the GLLUG