John, Not secure at all, nor is it intended to be.
The issue is that if the server is to be started automatically without the need to enter a passphrase, then encryption cannot be used since the server needs to provide the keystore passwords at runtime. OBF is simply a way to put the pass phrases into a configuration file so that a casual observer looking over your shoulder cannot easily remember the configured passwords. MD5 cannot be used at all in this situation (it is provided for checking things like BASIC authentication where a credential is sent over "the wire" but we want to avoid storing such credentials on the server, so we check the MD5 of the provided credential with the stored MD5). BCrypt would not help, as it requires a passphrase. If we put that passphrase in a config file, then it's just the same problem... how to protect the passphrase needed to recover the password needed to recover the private key .... Ultimately if a server is to start automatically, without human intervention, then you need to rely on the OS security to keep a configuration file secure. cheers On Fri, 16 Jul 2021 at 01:52, John English <john.fore...@gmail.com> wrote: > On 15/07/2021 18:27, Joakim Erdfelt wrote: > > The `MD5:` format Credential / Password is what's known as a 1-way hash > > (this is not encryption) > > You can take a password and generate a MD5. > > Then later, when a password is provided, you can run the hash again and > > compare the resulting MD5 to know if the password that was provided is a > > match. > > Ouch. MD5? Not terribly secure. I prefer BCrypt. > > -- > John English > _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins <gr...@webtide.com> CTO http://webtide.com
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
