httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject from the mod_perl list
Date Wed, 09 Jul 1997 16:58:31 GMT

tee hee

---------- Forwarded message ----------
Date: Wed, 9 Jul 1997 11:08:34 -0400
From: Lincoln Stein <lstein@GENOME.WI.MIT.EDU>
Subject: Re: netcraft June survey

Here's a fun example of "security through obscurity" that I recently
learned about.

Unlike other SSL servers, Microsoft IIS does not ask for a passphrase
to unlock its RSA private key at boot time.  Why is this?  It turns
out that IIS encrypts the private key with something called the
"System Key", then obfuscates the system key with an unpublished
algorithm and hides it in the system registry (at an unknown
location).  It sounds like they're hiding the keys to the company
vault under the doormat!


View raw message