tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Dubuc" <martind1...@gmail.com>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 16:44:46 GMT
Chris,

I am not sure I buy your argument that because there is somewhere else
in an implementation that is as insecure as cleartext password, then
there is no point in fixing the cleartext password issue. With this
argument, we would never care about fixing any security holes, because
one can always find a new security hole to exploit. Plus, well, the
assumption that someone is using a password-less key with Apache
running with SSL is pretty weak, because there are ways to avoid using
password-less key.

As far as the UNIX password analogy, tomcat may be seen as a user, not
UNIX, but it still performs authentication. So in my mind, it is
filling in for both roles (UNIX and user). I have the impression that
using MD5/SHA hashing would be a good option, because it would be
simple, would not require any additional key, would provide some sense
of security. Not the silverlining, but better than cleartext, for
sure.

Martin

On 5/1/07, Christopher Schultz <chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin,
>
> Martin Dubuc wrote:
> > But it strikes me that Tomcat
> > is the only application I know where passwords are stored in clear
> > text.
>
> I'll bet that Tomcat is the only application that needs to know its own
> passwords. Do you have Apache running with SSL? Where do you store the
> password for the SSL key? I'll bet that you have a password-less key,
> which is just about the same as a cleartext password lying around.
>
> > Why wouldn't we at least store the MD5 hash of the passwords
> > instead of the password in clear text, or use a scheme similar to the
> > Unix /etc/passwd file?
>
> Because UNIX password files are used to authenticate a user typing their
> password. In this analogy, Tomcat isn't UNIX, Tomcat is /the user/.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGN2H+9CaO5/Lv0PARAqqrAKDAc7F2rge4Xl0UaND7rhGicN3DYQCdEi4V
> c9p5LvXt+HudZAMm/98Y3b4=
> =FqMz
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message