Amos Shapira wrote:
Does Apache keep it in plain text in memory or maybe it obscures it
until it's actually used?
It does not matter. Even if it obscures it, it should be fairly easy for
an attacker to unobscure it.
We hear that Akamai don't store certificates on their front line
servers at all and have them shipped to the servers on-line.
But you don't know why, or whether it has any effect. For example, they
may be doing this to make deployment easier...
Part of this is how corporations make decisions, some of our clients
want to give us SSL certificates for servers under their domain names
and will feel more comfortable with us telling them that we don't
store them in plain text. When others (like - competition) tell them
the same you have to play by these kind of rules.
Tell them you are storing them on an encrypted partition. It boils down
to the same thing (and provides, more or less, the same protection from
the same attack).
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
