tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Wall <>
Subject Re: How to hide the keystorePass at the server.xml
Date Fri, 02 Jun 2006 16:43:08 GMT

Leon Rosenberg wrote:
> On 6/2/06, Bill Barker <> wrote:
>> TC 3.3.x had an optional module to do this.  It never got ported.
>> I generally agree with most of the people that say that this is the 
>> least of
>> your problems.  If you are usings a self-signed cert, then you are just
>> getting what you deserve.  Otherwise, you simply contact the CA and 
>> revoke
>> the cert:  At least this problem solved :).  Now, how to deal with 
>> the fact
>> that the hacker just uploaded 10,000 credit-card numbers, since my jdbc
>> password was in the clear :).
> Actually you are not allowed to save credit card numbers unless you
> are a certified payment provider (which implies major security
> constraints).
> Even a certified payment provider is not allowed to store cvc codes,
> and without the codes the credit card numbers are useless. (amazon of
> course is an exception to this rule...)
> However, if you saving cc-numbers or bank accounts or any other
> payment related data in your database unencrypted you belong in jail
> :-)
> But please feel free to tell us that you are doing one of the above,
> so we know which sites to avoid :-)
Somewhat true, but nearly every site that collects payment information 
and charges at a later date stores that information until the card is 
actually processed, and many businesses do not charge the card until the 
product/service has been delivered. 

Furthermore, that simply begs the issue, since it could be SSN, 
salaries, student loan info, job histories, etc. that become vulnerable.  

I don't think there's much argument that allowing the option to manually 
enter the keystore password is a bad thing, just that protecting an SSL 
cert is only a small concern if your filesystem has been compromised.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message