Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-08-2006, 02:29 PM
|
#1
|
Member
Registered: Mar 2004
Location: Valencia, espaņa
Distribution: Slack, Gentoo, Custom
Posts: 162
Rep:
|
https for ecommerce + biggest weakness ?
Hi
Im looking at systems using https for ecommerce situations. If you had to state the biggest vulnerability of https what would it be ?
Also I cant seem to find any information regarding the secure storage of the private key, am i right in thinking that if someone compromisied my server and found my private key they would then be able to use it to decrypt everything sent between the server and a client involved in a transaction with the server at that time? If this is the case does a compromise of the private key represent a significant weakness in the https model ?
Thanks
|
|
|
03-08-2006, 10:52 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
This sounds strangely like a homework question. Is it?
|
|
|
03-09-2006, 05:23 AM
|
#3
|
Member
Registered: Mar 2004
Location: Valencia, espaņa
Distribution: Slack, Gentoo, Custom
Posts: 162
Original Poster
Rep:
|
Sorry it does have that ring to it, but ive been a member here for a while an i never ask homwork question's - i study spanish
But ive been reading a lot about ssh, and there doesn't seem to be much info about the private key. I gather its encrypted on the server and decrpyted before use but exactly how vulnerable is it on the server ? I was reading this article by ncipher:
http://ncipher.imarc.net/company/new..._to_ecommerce/
which is somewhat refuted by this article:
http://www.schneier.com/crypto-gram-...blicityAttacks
Which brings me back to asking, in your opinion, which part of the ssl transaction is the weakest ?
|
|
|
03-09-2006, 05:53 AM
|
#4
|
Member
Registered: Sep 2005
Posts: 41
Rep:
|
If your a corporate entity then you use a certificate signing agency like verisign to make your certificates and keys for you and then you use these "Trusted" certificates on your site for users to download from you. You can make these certificates yourself but a warning message box will come up and warn the user that this site was not secured by a trusted authority. I take it your using linux. If you go onto any secure site on the internet after you have said that you wish to enter the secure site a little lock icon appears at the bottom of your browser. Click on this and it will give you a dialog box displaying details about where the certificate was signed. If it was bought from a trusted certificate authority then the certificate authority's name will be included in the information. The actual generation of the certificates and keys for a web site can be generated exactly the same way by yourself as an outside agency so its only the fact that its a "trusted" authority that makes them viable. It could be argued that if you make everything yourself that its safer as you have your private key yourself and not some outside agency. The fact is that a warning about security in any shape or form will worry a user so its best not to have it. The actual private key that you make needs to be of a certain strength or it is breakable 1024bit keys are the minimum i believe. If you want to know how to actually make these keys for your browser on linux or windows then there are tutorials that teach you how to do this. Hope this helps although it may be a bit vague.
|
|
|
03-09-2006, 06:31 AM
|
#5
|
Member
Registered: Apr 2003
Distribution: Red Hat
Posts: 37
Rep:
|
IMHO, should the private key be compromised, ssl connections already established will not be in danger(at least not expressely because of this). That is because they are using a symetric session key negotiated during ssl handshake. New connections will be indeed compromised.
hph,
NC
|
|
|
All times are GMT -5. The time now is 03:06 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|