tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Pyeron" <jpye...@pdinc.us>
Subject RE: Secure AJP over ssl
Date Wed, 23 Feb 2011 18:28:04 GMT

> -----Original Message-----
> From: Mladen Turk [mailto:mturk@apache.org] 
> Sent: Wednesday, February 23, 2011 3:01
> To: users@tomcat.apache.org
> Subject: Re: Secure AJP over ssl
> 
> On 02/22/2011 11:23 PM, Jason Pyeron wrote:
> >> -----Original Message-----
> >
> > That is a naive view. [Please forgive the wording.]
> >
> 
> None taken.
> 
> > Given:
> >
> > 1) The Apache box is secure and login is restricted to the 
> minimum set 
> > of persons with a kneed to know.
> > 2) The Tomcat box is secure and login is restricted to the 
> minimum set 
> > of persons with a kneed to know.
> >
> > There is no reason to allow the set of persons capable (and 
> sometimes
> > authorized) to inspect the data on a network (network 
> operations) to 
> > be able to inspect the unsecured contents of the data stream. That 
> > would be a briech of security and law.
> >
> 
> I just waited you mention that :)
> What do you think happens when encrypted data from client 
> comes in and is encrypted again and send to the client?
> It's unencrypted in the memory and anyone with access to the 
> box can just inspect the content of the httpd process in the 
> same way it can read the data on the socket.
> So since persons which are authorized to login to the Apache 
> and Tomcat box have the option to view the data, your entire 
> security is still human based. That's why I see no point of 

Yes, the list includes 4 people.

> encrypting the data transfer between those boxes cause you 
> can just as well make sure the proper persons have the network access.
> 

That list includes 78 people.

> However I can live with the 'law' reason, but that doesn't 
> mean it's a secure just because the 'law' says it is.

I see it as there is no excuse not to encrypt it when it crosses security domain
boundaries.



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message