On Fri, 24 Mar 2000, Eli Marmor wrote:
> Jan Meijer wrote:
> >
> > > A hacker can copy your key, no matter if it is encrypted or not; It
> > > will just spend one more minute for him.
> >
> > Perhaps I'm missing something here, but if your key is encrypted and the
> > only way to decrypt it is to actally enter the passphrase manually (e.g. no
> > automatic start-up) the hacker can steal all he wants, but needs to trojan
> > some things as well to actually get to your key (unless of course you
> > encrypted it with 40 bits des, but only someone in the wrong country would
> > do that).
>
> Yes, you are missing something. The message before mine, to be more
> specific. A subscriber asked how to run Apache automatically (probably
> from his rc.d or init.d scripts), and was answered that he should
> write a program to supply this password to Apache. So I responded with
> my message, that having such a program makes PEM encryption useless.
>
>
the hacker might just pop into yer box, and scarf up the passphrase from
the file ya made to do the auto run, this is always considered a flaw in
security, no different then making a script that send a password to auto
telnet/ftp to some account of yers. Secured server recycles should not be
totally automated, somethings are best left to be done by hand, either
from the console, or via a ssh conection.
Remember, if yer offering up anything but static pages, any kind of active
content, your web server<farm> is most likely vulnerable, and the main
point of entry into the rest of your network.
I'm sure that most folks reading this list also subscribe to the bugtraq
list and others for security measures, and to keep up to date, and most
have their web servers tightly backedup for reinstalls on compromise, yes?
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
