> -----Original Message----- > From: Mladen Turk [mailto:mt...@apache.org] > Sent: Wednesday, February 23, 2011 3:01 > To: users@tomcat.apache.org > Subject: Re: Secure AJP over ssl > > On 02/22/2011 11:23 PM, Jason Pyeron wrote: > >> -----Original Message----- > > > > That is a naive view. [Please forgive the wording.] > > > > None taken. > > > Given: > > > > 1) The Apache box is secure and login is restricted to the > minimum set > > of persons with a kneed to know. > > 2) The Tomcat box is secure and login is restricted to the > minimum set > > of persons with a kneed to know. > > > > There is no reason to allow the set of persons capable (and > sometimes > > authorized) to inspect the data on a network (network > operations) to > > be able to inspect the unsecured contents of the data stream. That > > would be a briech of security and law. > > > > I just waited you mention that :) > What do you think happens when encrypted data from client > comes in and is encrypted again and send to the client? > It's unencrypted in the memory and anyone with access to the > box can just inspect the content of the httpd process in the > same way it can read the data on the socket. > So since persons which are authorized to login to the Apache > and Tomcat box have the option to view the data, your entire > security is still human based. That's why I see no point of
Yes, the list includes 4 people. > encrypting the data transfer between those boxes cause you > can just as well make sure the proper persons have the network access. > That list includes 78 people. > However I can live with the 'law' reason, but that doesn't > mean it's a secure just because the 'law' says it is. I see it as there is no excuse not to encrypt it when it crosses security domain boundaries. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org