httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wort <...@pobox.com>
Subject Re: [users@httpd] New to SSL
Date Wed, 19 Mar 2003 12:48:43 GMT


Copy your server.key to server.key.orig and:

<path>/openssl rsa -in <path>/server.key.orig -out <path>/server.key

This makes a decrypted copy of the key and will not require a passphrase.


A point about self-signed certificates, first, I ues one on my site so I
am not trying to say they have no use. In my case it's to protect password
data so it's not in the clear, however, I also understand that with a
self-signed certificate there is weak security at best. In my case it to
protect data from a casual browser (using a sniffer) when I am at remote
sites. (I instruct Unix course, often I am at education center that have
open access to students and many of the course I instruct use Solaris's
snoop or Ethereal)

My point is that if you can generate a certificate, I can too and so can
anyone else so as a authentication device (the reason for a certificate)
it is not very secure, casual security at best.

Now, to exploit it the attacker would need mount a "man in the middle"
attack pretending to be your server and sending the replacement
certificate and intercepting the data, in most cases unlikely but it can
be done. Basicly the dsniff utilities have all that is required.

You need to balance the value of the asset your trying to protect against
the real security of your SSL configuration. In truth, even with a real
certificate SSL is only marginally better, most users never read the
certificate warning that is sent if the certificate doesn't match the site
or if the attacker just makes up a certificate.

 While the cryptography can be attacked it's unlikely, I know of no known
case where say a credit card number has been stolen on the internet by
attacking the SSL cyper. Not that it can't be done but if your a attacker
the return on investment just isn't worth it and it is probably easier to
hack the server and get the database of credit cards then spend hours
trying to decrypt the one packet that has the credit card number in it.


Bruce Schneier's last <http://www.counterpane.com/crypto-gram.html>
crypto-gram (Mar 15th) has a very good erite up on the relative worth of
SSL and information about the most resent assult to the protocol.




On Wed, 19 Mar 2003, Scott Taylor wrote:

> Hello,
>
> I added my own signed certificate to this server and I'm wondering if this
> is normal for startup or did I do something wrong/unnecessary?  It's
> running on Mandrake Linux 9.0.  This dialogue only shows up in the log not
> when running the startup script /etc/rc.d/init.d/httpd start
>
> First time I thought I broke it because it just sat there with "Starting
> HTTPD:".  It was only by reading the log did I realize it was waiting from
> input.
>
> Well, that was months ago now.  This morning I had a hardware failure and
> the server rebooted and just sits at the spot where httpd starts up because
> it is waiting for user input of the pass phrase.  Is there anything I
> should do (should have done) different?  It's a bit of a pain, but if it's
> the secure way to do it I guess I can come in at 2AM to restart it if needs
> be (seldom ever happens).
>
> Cheers.
>
> <log snippet>
> Mar 19 02:42:34 mustang httpd: Apache-AdvancedExtranetServer/1.3.26
> mod_ssl/2.8.10 (Pass Phrase Dialog)
> Mar 19 02:42:34 mustang httpd: Some of your private key files are encrypted
> for security reasons.
> Mar 19 02:42:34 mustang httpd: In order to read them you have to provide us
> with the pass phrases.
> </log snippet>
>
> Scott
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message