At 01:50 PM 4/20/96 +0000, umwalber@cc.UManitoba.CA wrote:
An ISP that I have ties with is looking to set up a secure server. Currently, they are running Apache. I told them that for ~$500 they can put on Apache SSL and be all ready. However, they want to buy Netscape (for the name, I've already given them the 40bit gospel), put it on a separate, firewalled machine, allow no access to it, etc, etc. Is all this paranoia necessary?
If they're handling money, then, yes, the paranoia is probably necessary. Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL and similar systems is that the server they run on is typically sitting right out there on the Internet waiting for somebody to crack it, and keeping credit card information on the same rather than handing the encrypted information across some secure interface (whether a firewall or dedicated RS232 or whatever.) A bulletproof 128-bit interface doesn't help if it's running on a cracked machine. Putting it on a separate firewalled machine is a Good Thing. # Thanks; Bill # Bill Stewart, stewarts@ix.netcom.com, +1-415-442-2215