On Wed, Aug 30, 2000 at 10:40:01AM -0500, [EMAIL PROTECTED] wrote:
>
> I could probably burn the keys on to a CD and use that when I reboot. The
> rest of the time, I could store the CD in a secure location.
>
And if you're really paranoid you could unplug your network cable, start
apache with a minimum number of processes running and do all sorts of
verifications of the apache binary (tripwire or similar).
> I have also been reading about how it is relatively easy to scan through
> memory (assuming you have root permission) and locate a key.
If the attacker didn't get root, then regular file system permissions
should keep the key safe... but once you've got a shell, then getting
root access usually isn't such a big problem ;-)
> I'm not sure
> how to defend against this kind of attack, except to make sure that your
> system is secure. If an attacker can gain root access, he can probably get
> the private key somehow.
>
Exactly, and then we're back to the point of you not getting much extra
security with a software solution. But even with a hardware solution somebody
with root access to your machine would be "a bad idea"(tm) ;-)
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
