Shachar Shemesh
Fri, 29 Jan 2010 01:39:48 -0800
Amos Shapira wrote:
It does not matter. Even if it obscures it, it should be fairly easy for an attacker to unobscure it.Does Apache keep it in plain text in memory or maybe it obscures it until it's actually used?
But you don't know why, or whether it has any effect. For example, they may be doing this to make deployment easier...We hear that Akamai don't store certificates on their front line servers at all and have them shipped to the servers on-line.
Tell them you are storing them on an encrypted partition. It boils down to the same thing (and provides, more or less, the same protection from the same attack).Part of this is how corporations make decisions, some of our clients want to give us SSL certificates for servers under their domain names and will feel more comfortable with us telling them that we don't store them in plain text. When others (like - competition) tell them the same you have to play by these kind of rules.
Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
- securing ssl certificates on web servers Amos Shapira
- Re: securing ssl certificates on web servers shimi
- Re: securing ssl certificates on web servers Amos Shapira
- Re: securing ssl certificates on web servers shimi