In theoretical land: You have an app that connects to the bank via some complex, highly secure webservices API over SSL to transfer money etc. Assume Scumbag A wants that money. Scumbag A manages to exploit your external DNS server to point the bank's URL, so the info you send goes to the scumbag instead of the bank. However, on connecting, your CF server will fail because the self-signed certificate they've generated in the name of the bank isn't trusted by the CA certs in the keystore. Nothing bad happens.
Now imagine they somehow changed the keystore, to insert a CA that trusts their self-signed certificate. Your server now happily connects and sends all of your banking details, passwords etc to Scumbag A. Bad things happen. -- WSS4CF - WS-Security framework for CF http://wss4cf.riaforge.org/ On 23 June 2010 04:20, Ian Skinner <h...@ilsweb.com> wrote: > > Can anybody give me some idea of what a person of ill intent could do if > they got their greedy little hands on access to this file? > > As I understand it they would have to have command line access to the > system to modify it, would they not? Or at least file system access to > remove or replace it. > > But other then just whipping it clean for the joy of the chaos of it, > what other havoc might one cause with changes to the ColdFusion keystore? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334760 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
