Re: Secure automation?

From: Juha Laiho (Juha.Laiho@iki.fi)
Date: 06/18/02 

From: Juha Laiho <Juha.Laiho@iki.fi>
Date: Tue, 18 Jun 2002 19:17:01 GMT

David Stanek <no_spam..python@dstanek.com-NOSPAM> said:
>The problem I can't seem to get around is the fact that to decrypt you
>need a key. So it has to exist somewhere right?

Correct. And if you store the key on a system, the key can be copied
from the system - i.e. your data is only as safe as the overall system
is. Unfortunately there's no way out of this.

Examples:
To provide secured web services (https), a server SSL certificate is
needed. To reduce risk of fraud should a cracker be able to copy the
key off the system, it is suggested that the key is protected with
a password. The downside with this is that the web server will ask
for the password upon startup - so no more unattended startups. Unless
you come up with a program that would enter the password to the
web server that is starting up - but then you'd have to store that
password on the machine itself, so you'd lose the extra security you
tried to gain.

To be able to verify a server certificate, a web browser needs to
have a certificate corresponding to the one used to sign the server
certificate. To save the user form the hassle of obtaining and verifying
the CA public kays, the keys are distributed with browsers. Otherwise
the users would first need to obtain known good copies of the signing
CA's public key -- so even though the world seems so much simpler here,
it is so only because the browser manufacturer already bundles the known
good keys. Btw, mind where you get your browsers. Make sure the download
is not spoofed. 

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Relevant Pages

  • Re: SSL and Server Certificates
    ... determine whether the server itself is even listening on port 443. ... so 'view certificate' & examine its properties. ... with the certificate may prevent a browser from connecting altogether. ... Insure host headers & SSL are not in use, unless the site using SSL is ...
    (microsoft.public.inetserver.iis.security)
  • RE: General Certificate Question
    ... On the "Web Server Certificate" page, choose "Create a new Web server ... If you do not run SBS, please repost your issue in Windows server newsgroup ...
    (microsoft.public.windows.server.sbs)
  • Re: How to send a key event to another process?
    ... Browser sends a GET or POST HTTP request to web server ... Web server decodes GET/POST URL and determines which CGI program to call ...
    (comp.os.linux.misc)
  • Re: username and Password sent as clear text strings
    ... I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning. ... I completed a security review of a web server, ... Webscarab, like all intercepting web proxy programs I've used on ...
    (Pen-Test)
  • Re: IIS 5.0 Certificate
    ... Your Web server do not send out private key. ... Review this kb on how to use Cert Server with IIS ... Using Certificate Server 2.0 to Generate a Server Certificate for Use with ...
    (microsoft.public.inetserver.iis.security)
Loading