Re: CGI security on a shared web server
From: H D Moore (sflist@digitaloffense.net)Date: 05/28/02
- Previous message: Ilya Martynov: "Re: CGI security on a shared web server (fwd)"
- In reply to: Steffen Dettmer: "Re: CGI security on a shared web server"
- Next in thread: Antonomasia: "Re: CGI security on a shared web server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: H D Moore <sflist@digitaloffense.net> To: Steffen Dettmer <steffen@dett.de>, secprog@securityfocus.com Date: Mon, 27 May 2002 22:19:37 -0500
On Saturday 25 May 2002 10:34, Steffen Dettmer wrote:
> * Kurt Seifried wrote on Thu, May 23, 2002 at 14:05 -0600:
> > One possible solution, assuming you need to write the data but not read
> > it until later is to encrypt it, generate a public/private keypair using
> > pgp/gnupg, load the public key onto the server with your app, have it
> > write the files after encrypting the data. Thus you can retrieve the data
> > (ftp, www, whatever) and then decrypt it at your leisure and use it.
>
> I don't think that this makes things secure. If the web server
> runs as nobody, the CGI script must be executable for nobody. The
> secret key must be reable for nobody.
I think you missed the point here, what Kurt suggested was that you only place
the PUBLIC key on the web server and encrypt (not sign) the data you want to
store. When you want access to the data, you download the files and decrypt
them on your local server/workstation/etc. This doesn't prevent someone from
writing bogus data into your file, but it does keep them from reading it.
-HD
- Previous message: Ilya Martynov: "Re: CGI security on a shared web server (fwd)"
- In reply to: Steffen Dettmer: "Re: CGI security on a shared web server"
- Next in thread: Antonomasia: "Re: CGI security on a shared web server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
