[Gllug] Apache mod_ssl

Richard Jones rich at annexia.org
Mon Aug 9 17:11:43 UTC 2004


On Mon, Aug 09, 2004 at 05:23:23PM +0100, will wrote:
> Doug Winter wrote:
> >generally in real life the password is kept in a text file on the same 
> >machine, and then the password entering phase of server start up is 
> >faked using, as someone else said, some crappy perl script.  that is no 
> >more secure than no password at all, so it seems much simpler just to 
> >remove the encryption completely.
> 
> So it is more secure as long as you don't keep the password in a text 
> file on the same server then.  I would aggree, it is an unlikely attack 
> on anything I am running.

Or as long as someone doesn't silently break into your machine and
install a keylogger on your sshd ...  It's marginally more secure if
you type the passphrase in on the console (goodbye remote
administration!), but even then there are perfectly plausible ways to
sniff keystrokes.

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
NET::FTPSERVER is a full-featured, secure, configurable, database-backed
FTP server written in Perl: http://www.annexia.org/freeware/netftpserver/
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list