[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: How to hide the keystorePass at the server.xml
From:       "Peter Crowther" <Peter.Crowther () melandra ! com>
Date:       2006-05-31 16:34:35
Message-ID: DDBBD1E00935D144AB9563D57EF98D622F7C9D () raccoon ! melandra ! net
[Download RAW message or body]

> From: David Wall [mailto:d.wall@computer.org] 
> What's the downside if someone who 
> has access to your filesystem has access to the SSL cert 
> keystore?  They 
> can remove and install certs, but I could do that anyway by 
> putting in a 
> new keystore.  Somehow they'd need to take your keystore, put it on a 
> rogue system and then spoil DNS to trick users into that system?  Why 
> bother since I already have access to your web server's file system?

If they read your keystore and poison a DNS server, your server is not
defaced and you are less likely to be aware that it's happening.  If you
don't routinely check your site from somewhere that uses the poisoned
DNS, you may be unaware that it's happened.

If they replace your webapp, you're more likely to notice.

		- Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]