On Fri, Jan 14, 2000 at 01:22:27PM -0600, Alan Mead wrote:
> This article seems to say that all major servers (Apache, Netscape, IIS)
> are vulnerable to local attacks which read the private key from memory. It
> goes on to say that you really need their $4,000 to $17,000 solution to
> "vault" the keys. So it sounds like crap but I was wondering if anyone
> with more knowledge about Apache, public key cryptography, and Linux memory
> management would care to explain the degree of risk involved. I suppose
> this has been an issue, if it is, for years and I've never heard of a
> problem...
I don't know about other OS's, but in Linux, you need root access to read
the memory used by processes you don't own.
If someone breaks into your webserver and gets root access.... having
encrypted keys in your apache memory space which are identifiable is the
least of your problems.
That press release is just a marketing stunt. They want you to buy their
secure box... which can only provide marginally better security, if any at
all.
--
Steve Borho Voice: 314-615-6349
Network Engineer
Celox Communications Corp
Fortune of the day:
I just thought of something funny...your mother.
- Cheech Marin
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
