Yeah, well reasoned rebuttal there....not. That's why we encrypt passwords in unix, or haven't you looked at etc/passwd lately? Are you going to tell me that is complete nonsense? According to your 'argument' that is 'security by obscurity'. You better break that to the GNU crowd gently. Having a username and password in clear text allows another account to be compromised. And, if that account is on another box holding your DB, then the attacker has two boxes for the price of one. This is additionally worse, as in a secure environment, the DB is usually in a different architecture layer or vlan.
On 31/10/10 8:01 AM, "Pid *" <p...@pidster.com> wrote: On 30 Oct 2010, at 15:20, Darryl Lewis <darryl.le...@unsw.edu.au> wrote: > Well so far all this discussion has done is to make me realise that tomcat > should not be used in an environment that requires security. Complete nonsense. p > If cracking an app will let you get passwords on another box, that is weak > security. > > > On 30/10/10 11:27 PM, "Caldarale, Charles R" <chuck.caldar...@unisys.com> > wrote: > >> From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au] >> Subject: Re: running tomcat6 under a different user than root (debian) > >> Use encryption >> http://java.sys-con.com/node/393364 > > Sorry, that just moves the problem. The article completely ignores the issue > of where to put the decryption key - which must be in plain text somewhere. > As Mark pointed out, obfuscation != security. > > - Chuck > > P.S. Interesting that the author of that article was using a Tomcat already > three years old at the time of publication; doesn't really help the somewhat > questionable credibility. (Reference implementations shouldn't be used in > production? Where did he get that one?) > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
