On Wed December 24 2008, Edward Diener wrote: > - - - snip - - -
> > > > This will not keep a cryptographer out of your application, but should > > pass the "warm and fuzzy" test. > > It may make it harder for a disruptive hacker. > That is what I meant, my own poor choice of words. Just wanted to be clear this scheme is not "increasing the security" as a communications security expert would use the phrase. > In general what I can do is store the certs in encrypted form as > resources in the application and, each time I need them, read the > resources into memory, decrypt them, write them out as temporary files, > use the temporary files in the MySQL connection, and then destroy the > temporary files after the SSL connection is made. This will keep me from > distributing them as files in the installation. > As others have posted, here is your major point of vulnerability - the direct SQL connection to the database. You really need to setup the system to connect to your server, and let the server proxy to the SQL database server, after very careful inspection, the request strings. With such a setup, then you have the system protection code running in your own, protected (the server) environment. Anything else is just asking the Fox if everything is OK in the chicken house. ;) > Whether this extra processing is really necessary, good security, or > "security theatre" as another respondent on this thread claims, I am > really not sure. But that is why I posted my OP, to see what others > think and how others handled the situation. > I am not addressing "security" as understood by the security professionals on this list - only the subjective reaction of your boss to bad advice. Which I called the "warm and fuzzy" test. But it reads as if you are already aware we are not talking "security" here just "subjective impression". Mike > Thanks ! > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
