1996-04-24 - Re: ApacheSSL

Header Data

From: sameer@c2.org
To: stewarts@ix.netcom.com (Bill Stewart)
Message Hash: 4a0746156bf7d19c84d44cb7fbea15adaf6c6191ca90a0cacc4f4e2957e5924e
Message ID: <199604232150.OAA01944@atropos.c2.org>
Reply To: <199604232059.NAA24322@toad.com>
UTC Datetime: 1996-04-24 03:47:10 UTC
Raw Date: Wed, 24 Apr 1996 11:47:10 +0800

Raw message

From: sameer@c2.org
Date: Wed, 24 Apr 1996 11:47:10 +0800
To: stewarts@ix.netcom.com (Bill Stewart)
Subject: Re: ApacheSSL
In-Reply-To: <199604232059.NAA24322@toad.com>
Message-ID: <199604232150.OAA01944@atropos.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


> If they're handling money, then, yes, the paranoia is probably necessary.
> Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL
> and similar systems is that the server they run on is typically sitting right
> out there on the Internet waiting for somebody to crack it, and keeping
> credit card information on the same rather than handing the encrypted
> information
> across some secure interface (whether a firewall or dedicated RS232 or
> whatever.)
> A bulletproof 128-bit interface doesn't help if it's running on a cracked
> machine.
> Putting it on a separate firewalled machine is a Good Thing.

	Yes, and being able to review the source code of the server
for security holes is also Important, if you are dealing with real
money.

-- 
Sameer Parekh					Voice:   510-601-9777x3
Community ConneXion, Inc.			FAX:     510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.net/ (or login as "guest")		sameer@c2.net





Thread