ApacheSSL

Bill Stewart stewarts at ix.netcom.com
Tue Apr 23 19:20:37 PDT 1996


At 01:50 PM 4/20/96 +0000, umwalber at cc.UManitoba.CA wrote:
>An ISP that I have ties with  is looking to set up a secure server.  
>Currently, they are running Apache.  I told them that for ~$500 they 
>can put on Apache SSL and be all ready.  However, they want to buy 
>Netscape (for the name, I've already given them the 40bit gospel), 
>put it on a separate, firewalled machine, allow no access to it, etc, 
>etc.  Is all this paranoia necessary?

If they're handling money, then, yes, the paranoia is probably necessary.
Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL
and similar systems is that the server they run on is typically sitting right
out there on the Internet waiting for somebody to crack it, and keeping
credit card information on the same rather than handing the encrypted
information
across some secure interface (whether a firewall or dedicated RS232 or
whatever.)
A bulletproof 128-bit interface doesn't help if it's running on a cracked
machine.
Putting it on a separate firewalled machine is a Good Thing.
#					Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215







More information about the cypherpunks-legacy mailing list