securing ssl certificates on web servers

[Shachar Shemesh]

Amos Shapira wrote:
>
> Does Apache keep it in plain text in memory or maybe it obscures it
> until it's actually used?
>   
It does not matter. Even if it obscures it, it should be fairly easy for 
an attacker to unobscure it.
>
>
> We hear that Akamai don't store certificates on their front line
> servers at all and have them shipped to the servers on-line.
>
>   
But you don't know why, or whether it has any effect. For example, they 
may be doing this to make deployment easier...
>
> Part of this is how corporations make decisions, some of our clients
> want to give us SSL certificates for servers under their domain names
> and will feel more comfortable with us telling them that we don't
> store them in plain text. When others (like - competition) tell them
> the same you have to play by these kind of rules.
>   
Tell them you are storing them on an encrypted partition. It boils down 
to the same thing (and provides, more or less, the same protection from 
the same attack).

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100129/1f4dd37e/attachment.html>