Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 12249 invoked from network); 2 Jun 2006 16:43:21 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 2 Jun 2006 16:43:21 -0000 Received: (qmail 85236 invoked by uid 500); 2 Jun 2006 16:43:10 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 84854 invoked by uid 500); 2 Jun 2006 16:43:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 84842 invoked by uid 99); 2 Jun 2006 16:43:08 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Jun 2006 09:43:08 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [63.251.168.97] (HELO mail2.yozons.com) (63.251.168.97) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Jun 2006 09:43:08 -0700 Received: from [192.168.1.46] (pool-71-112-91-213.sttlwa.dsl-w.verizon.net [71.112.91.213]) (authenticated bits=0) by mail2.yozons.com (8.12.10/8.12.10) with ESMTP id k52Ggjxs016242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 2 Jun 2006 09:42:46 -0700 Message-ID: <44806A9C.8010702@computer.org> Date: Fri, 02 Jun 2006 09:43:08 -0700 From: David Wall User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: How to hide the keystorePass at the server.xml References: <327858f40606020245k12b10524l523454a12ae2de6a@mail.gmail.com> In-Reply-To: <327858f40606020245k12b10524l523454a12ae2de6a@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Leon Rosenberg wrote: > On 6/2/06, Bill Barker wrote: >> TC 3.3.x had an optional module to do this. It never got ported. >> >> I generally agree with most of the people that say that this is the >> least of >> your problems. If you are usings a self-signed cert, then you are just >> getting what you deserve. Otherwise, you simply contact the CA and >> revoke >> the cert: At least this problem solved :). Now, how to deal with >> the fact >> that the hacker just uploaded 10,000 credit-card numbers, since my jdbc >> password was in the clear :). > > Actually you are not allowed to save credit card numbers unless you > are a certified payment provider (which implies major security > constraints). > Even a certified payment provider is not allowed to store cvc codes, > and without the codes the credit card numbers are useless. (amazon of > course is an exception to this rule...) > However, if you saving cc-numbers or bank accounts or any other > payment related data in your database unencrypted you belong in jail > :-) > But please feel free to tell us that you are doing one of the above, > so we know which sites to avoid :-) Somewhat true, but nearly every site that collects payment information and charges at a later date stores that information until the card is actually processed, and many businesses do not charge the card until the product/service has been delivered. Furthermore, that simply begs the issue, since it could be SSN, salaries, student loan info, job histories, etc. that become vulnerable. I don't think there's much argument that allowing the option to manually enter the keystore password is a bad thing, just that protecting an SSL cert is only a small concern if your filesystem has been compromised. David --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org