tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: JKS keystore password Encryption
Date Wed, 06 Aug 2014 01:41:51 GMT
Hi Chris,

I don't want to pass the audit. I am just curious why Jboss implemented
that ? and whats the purpose of SRP protocol implementation just to pass
the audit?

[1]
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Development_Guide/#sect-Secure_Remote_Password_Protocol


Regards,
Sanaullah


On Wed, Aug 6, 2014 at 5:34 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 8/4/14, 9:19 PM, Sanaullah wrote:
> > Thanks to all.
> >
> > I was looking something similar to this [1] which is implemented in
> > JBoss.
> >
> > [1]
> >
> https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html
>
> Congratulations:
> >
> you'll pass a security audit that flags this as a
> problem.
>
> Fail: you have moved your password to another file, and not gained a
> single thing.
>
> You may now celebrate the incompetence of both your auditors and
> engineering staff for sidestepping an issue rather than soberly
> dealing with it head-on.
>
> This is why formal risk analyses are much better than crappy
> script-based security audits. First of all, they force you to be much
> more creative than a script you paid someone a huge sum of money to
> run that only tells you obvious things that a light reading of any
> OWASP documentation would already tell you, *and* it gives you the
> opportunity to say "this thing doesn't matter at all, and even if we
> *did* do something about it, it wouldn't make any damn bit of difference."
>
> It's time engineering teams started teaching management about security.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi
> Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s
> jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r
> 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM
> QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC
> KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8
> oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5
> qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN
> j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft
> cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45
> xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW
> jlzixmv5BOQjMFUJActT
> =yOJq
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message