On 30/10/2010 22:11, Darryl Lewis wrote: > Yeah, well reasoned rebuttal there....not.
Oh, I don't know. It was succinct, to the point, and unlike your statement, accurate. You declared, on a public mailing list which is republished on web based forums and is therefore Googlable, that Tomcat wasn't suitable for use in a secure environment. That statement is false* and demonstrably so, because it _is_ being used in secure environments. Other messages in the thread contain more information, but I'll reiterate a few points here. If the attacker has the same (or higher) level of access to the JVM process as the user under which the process is running, 'encrypting' a DB password is meaningless, unless you are able to pass an hashed password directly to the DB**. Even that doesn't help much, as the attacker may still have the ability to make a connection and extract data from the DB. What's the use of obfuscating the password, if connection is still usable? If the attacker the same access as the server user, what's to stop them from simply adding a malicious jar and restarting the process, or deploying their own hostile application(s)? Or causing a heap dump which contains the state of every object and can easily be examined to find specific values? Or more exotic things like (in Java 6) dynamically adding an agent via the Attach API & rewriting classes to include malicious code? You'll note that I haven't specifically referred to Tomcat, because each of these applies to any JVM process. So are you also saying that WebSphere, WebLogic, Geronimo, JBoss, Glassfish et al are unsuitable for running in a secure environment? > That's why we encrypt passwords in unix, or haven't you looked at > etc/passwd lately? On my *nix OS, it's not /etc/passwd, it's /etc/shadow which contains the hashes - and it isn't world readable, because allowing anyone/everyone access to your passwords, hashed or not, is bad. Apply the proper file permissions. QED. p * Don't take my word for it: http://www.owasp.org/index.php/Securing_tomcat#Cleartext_Passwords_in_CATALINA_HOME.2Fconf.2Fserver.xml ** I tried finding a way to pass a hashed password to a well-known commercial-DB-vendors flagship product recently at the behest of a client, and wasn't able to. I'd be interested to know how many DBs *can* handle hashed passwords.
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
