tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Wall <d.w...@computer.org>
Subject Re: How to hide the keystorePass at the server.xml
Date Fri, 02 Jun 2006 16:43:08 GMT

Leon Rosenberg wrote:
> On 6/2/06, Bill Barker <wbarker@wilshire.com> wrote:
>> TC 3.3.x had an optional module to do this.  It never got ported.
>>
>> I generally agree with most of the people that say that this is the 
>> least of
>> your problems.  If you are usings a self-signed cert, then you are just
>> getting what you deserve.  Otherwise, you simply contact the CA and 
>> revoke
>> the cert:  At least this problem solved :).  Now, how to deal with 
>> the fact
>> that the hacker just uploaded 10,000 credit-card numbers, since my jdbc
>> password was in the clear :).
>
> Actually you are not allowed to save credit card numbers unless you
> are a certified payment provider (which implies major security
> constraints).
> Even a certified payment provider is not allowed to store cvc codes,
> and without the codes the credit card numbers are useless. (amazon of
> course is an exception to this rule...)
> However, if you saving cc-numbers or bank accounts or any other
> payment related data in your database unencrypted you belong in jail
> :-)
> But please feel free to tell us that you are doing one of the above,
> so we know which sites to avoid :-)
Somewhat true, but nearly every site that collects payment information 
and charges at a later date stores that information until the card is 
actually processed, and many businesses do not charge the card until the 
product/service has been delivered. 

Furthermore, that simply begs the issue, since it could be SSN, 
salaries, student loan info, job histories, etc. that become vulnerable.  

I don't think there's much argument that allowing the option to manually 
enter the keystore password is a bad thing, just that protecting an SSL 
cert is only a small concern if your filesystem has been compromised.

David

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message