Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: Carson Gaspar <carson () taltos org>
Date: Sun, 5 Nov 2000 20:40:24 -0800
--On Sunday, November 05, 2000 11:25 AM -0800 "Jon Paul, Nollmann" <sinster () DARKWATER COM> wrote:
It's a choice that's been made technologically: it's unworkable to have the private key encrypted, so its left unencrypted. If you have the key encrypted and arrange for some other mechanism for the server to automagically get the passphrase at startup, then that's equivalent to having the private key unencrypted on the hard disk: all the data is there on the machine that's necessary to unencrypt the private key.
Who said anything about it happening automatically, much less automagically? Someone (or ones, if you use secret sharing) ethers a passphrase every time the web server is restarted. As I said you trade off operational complexity against security.
It's unavoidable.
See above. -- Carson Gaspar -- carson () taltos org Queen Trapped in a Butch Body
Current thread:
- Re: Apache ap_getpass vulnerability, (continued)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
- Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 10)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 06)