>>>>> "Raj" == Raj Shekhar <[EMAIL PROTECTED]> writes:
Raj> in infinite wisdom Sumit Malhotra spoke thus On 09/23/2005
Raj> 10:27 AM:
>> The SSL provides two layer of Security 1. SSL Layer for
>> encryption
>>
>> A warning Message for wrong certificate *generally* indicates
>> a. The Server you are connecting has wrong certificate
>> installed. OR b. A man in middle Attack is in progress.
>>
>> Hence, the purpose of saving your self from getting sniffed
>> will void.
Raj> Yes, I agree. However, if the data passing on the network is
Raj> quite sensitive, then you are better off putting the vhosts
Raj> on different IP and generating a SSL certificate for each.
Raj> If, however, you want to have a quick hack to prevent the
Raj> script kiddies from snooping your passwords (when using
Raj> phpmyadmin or a cms running on http), then you can use the
Raj> above method. It is not foolproof - please see the article I
Raj> pointed out. The author notes that
Raj> " When you run multiple SSL sites from a single certificate,
Raj> you have the same level of encryption that you would have on
Raj> any "correctly configured" SSL site. However, you completely
Raj> forfeit any authentication ordinarily offered by SSL. "
>>When do you need validation and verification? Usually when you're
>>doing e-commerce on the SSL site and want the user to feel secure that
>>s/he is connecting to the right place and giving his/her CC number.
I just told you the options, using them or not are entirely based on
you.
It's definitely a better way of securing then using an HTACCESS.
>>Encryption, OTOH, is much more prevalent and ensures that your data is
>>protected in transit. Useful if you're filling confidential
>>information into web forms, etc., which many of us do on a daily
>>basis. The method suggested (allowing encryption without
>>verification) is a good way to achieve the latter. If you're, e.g.,
>>accepting CC numbers you would have paid for an extra IP and a
>> (useless IMO) global certificate anyway :)
There are many books/written on how the man in middle attacks are done.
Check out the book on Stealing the networks by Syngress if you need.
With the thread emphasis on being securing information from script
KIDDIE (As Shekhar mentioned in earlier threads.), I can safely assume
if a Kiddie can break into my Router/gateway/Machine to sniff then he
can play with the MAN in middle attacks.
>>BTW, I think you can get around the mis-match warning problem by
>>running your SSL VHOSTS on separate ports. Can anyone confirm/deny
>>this?
Nope. Not so Simple. You need to run Multiple Apache Server's with
Different Ports. Then it may work.
-
Sumit
Regards,
-- Raju
--
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
_______________________________________________
ilugd mailinglist -- ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd
Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi
http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Event: Freedel 2005, 17th & 18th September, 2005 - http://freedel.in
_______________________________________________
ilugd mailinglist -- ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd
Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi
http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Event: Freedel 2005, 17th & 18th September, 2005 - http://freedel.in
