[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ApacheSSL
At 01:50 PM 4/20/96 +0000, [email protected] wrote:
>An ISP that I have ties with is looking to set up a secure server.
>Currently, they are running Apache. I told them that for ~$500 they
>can put on Apache SSL and be all ready. However, they want to buy
>Netscape (for the name, I've already given them the 40bit gospel),
>put it on a separate, firewalled machine, allow no access to it, etc,
>etc. Is all this paranoia necessary?
If they're handling money, then, yes, the paranoia is probably necessary.
Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL
and similar systems is that the server they run on is typically sitting right
out there on the Internet waiting for somebody to crack it, and keeping
credit card information on the same rather than handing the encrypted
information
across some secure interface (whether a firewall or dedicated RS232 or
whatever.)
A bulletproof 128-bit interface doesn't help if it's running on a cracked
machine.
Putting it on a separate firewalled machine is a Good Thing.
# Thanks; Bill
# Bill Stewart, [email protected], +1-415-442-2215