httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howarth, Richard" <rhowa...@sgb.co.uk>
Subject RE: [users@httpd] RE: ssl pass phrase dialog on startup
Date Mon, 18 Nov 2002 09:47:37 GMT
> Having said that, my personal opinion is that there not much point to
> the passphrase - an SSL server should be highly secure 
> anyway, with the
> cert readable only by root so theft of the cert should be as difficult
> as finding out the passphrase - i.e. anyone who can copy the 
> cert has to
> have root privilege and so would know the passphrase anyway. 

Or it can be as easy as obtaining a backup -  either by theft, careless
handling of backup media or simply making an offer to a lowly paid operator
that they can't refuse.  The certificate can then be restored and used
without recourse to root privilege.

Once it is out in the wild, you have lost it.

> I think the
> safest way to run is without passphrase but with a highly secure
> webserver.

The passphrase is another layer in the security onion.  Whether or not you
should be using it will depend upon the nature of your business, your local
data protection laws and what the people who audit your company accounts and
practices think.

For private use and small business it may not be an issue, but in an
increasingly litigious world it is worth thinking twice before making
yourself culpable by willfully failing to implement or circumventing a
security feature.

Richard.


IMPORTANT INFORMATION & CONFIDENTIALITY NOTICE 

The information in this Email is confidential and may be legally privileged.
It is intended solely for the 
named recipient.  Access to this e-mail by anyone else is unauthorised.  If
you are not the intended recipient 
or the employee or agent responsible for delivering the message to the
recipient named, please note that any 
use, disclosure, copying, distribution of this Email or any action taken or
omitted to be taken in reliance 
on it is prohibited.  If you are not the intended recipient, please inform
us by returning a copy of the 
Email with the subject line marked "wrong address" and then deleting the
Email, and any attachments and any 
copies of it. 

Any questions should be directed to mailto:administrator@harsco.com

Harsco uses regularly updated anti-virus software in an attempt to reduce
the possibility of infection.
However we do not guarantee that any attachments to this email are virus
free.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message