On Fri, 12 Oct 2001, Owen Boyle wrote:
[SNIP]
>
>
> (1) If you have a secure machine, a passphrase is unnecessary - so you
> don't need it.
>
> (2) If you have an insecure machine, a passphrase is useless - so you
> still don't need it.
98% of all ssl systems are "insecure". Most due to poor patch updating,
many due to the fact that they are multi-use machines <i.e. iether other
users can log in and use application on them, or they run another service
like dns or smtp which are the ftpd's of this decade>
>
> Why is it useless? Because, although you may be able to prevent a bad
> guy starting the server maliciously what's to stop him thereafter
> stealing the data that you captured over your SSL connection?
>
I was under the impression the keys one passphrased for protection where
done so as to prevent others from spoofing you and or your site, though, I
may well have this incorrect assumption. Yet, this is not a iffuclt thing
to do, wasn't there a grand redirection and spoofing just a few years back
of internic?
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
