"R. DuFresne" wrote: > Never start talking > to those lacking secific skills about what is important and what can be > tossed aside, until one is fully aware of the skills they are facing. > Never advise one to forgoe certain security issues without a full > assesment of the issues involved, never advise someone they can be lax > here and there as long as this and that are covered until you have a full > idea of the skills and degree of security knowledge they possess.
This is a good point and in general I would agree that you should never advise anyone to drop any aspect of *real* security without understanding their application thoroughly. However, I would argue that in the specific case of an SSL server, the pass-phrase is useless security *under any circumstances*... Logically, you machine can be in only one of two states; secure or insecure: (1) If you have a secure machine, a passphrase is unnecessary - so you don't need it. (2) If you have an insecure machine, a passphrase is useless - so you still don't need it. Why is it useless? Because, although you may be able to prevent a bad guy starting the server maliciously what's to stop him thereafter stealing the data that you captured over your SSL connection? In other words, you simply shouldn't run an SSL server on an insecure system - it is like using an armoured van to deliver $1,000,000 to a bank which has no safe and no locks on the door. Rgds, Owen Boyle. P.S. There was one other point, brought up by NickM, that you might want to use SSL to communicate with an intranet from the internet (as a tunnel). Then you might want to use a passphrase to control the internal web-server, even though you don't care if the individual session data are visible. I accept that this is an application (albeit highly specialised) where passhrase control would be useful. No doubt this is what the mod_ssl developers were thinking about when they added this functionality... ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
