From: Bill Stewart <stewarts@ix.netcom.com>
To: umwalber@cc.UManitoba.CA
Message Hash: 1b7ad63dab00b630ebe672014f4f5aa9ce1e3d09294a8be4e814800aab9b7fcd
Message ID: <199604232059.NAA24322@toad.com>
Reply To: N/A
UTC Datetime: 1996-04-24 02:20:37 UTC
Raw Date: Wed, 24 Apr 1996 10:20:37 +0800
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Wed, 24 Apr 1996 10:20:37 +0800
To: umwalber@cc.UManitoba.CA
Subject: Re: ApacheSSL
Message-ID: <199604232059.NAA24322@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
At 01:50 PM 4/20/96 +0000, umwalber@cc.UManitoba.CA wrote:
>An ISP that I have ties with is looking to set up a secure server.
>Currently, they are running Apache. I told them that for ~$500 they
>can put on Apache SSL and be all ready. However, they want to buy
>Netscape (for the name, I've already given them the 40bit gospel),
>put it on a separate, firewalled machine, allow no access to it, etc,
>etc. Is all this paranoia necessary?
If they're handling money, then, yes, the paranoia is probably necessary.
Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL
and similar systems is that the server they run on is typically sitting right
out there on the Internet waiting for somebody to crack it, and keeping
credit card information on the same rather than handing the encrypted
information
across some secure interface (whether a firewall or dedicated RS232 or
whatever.)
A bulletproof 128-bit interface doesn't help if it's running on a cracked
machine.
Putting it on a separate firewalled machine is a Good Thing.
# Thanks; Bill
# Bill Stewart, stewarts@ix.netcom.com, +1-415-442-2215
Return to April 1996
Return to “sameer@c2.org”