LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-08-2006, 02:29 PM   #1
darkRoom
Member
 
Registered: Mar 2004
Location: Valencia, espaņa
Distribution: Slack, Gentoo, Custom
Posts: 162

Rep: Reputation: 30
https for ecommerce + biggest weakness ?


Hi
Im looking at systems using https for ecommerce situations. If you had to state the biggest vulnerability of https what would it be ?

Also I cant seem to find any information regarding the secure storage of the private key, am i right in thinking that if someone compromisied my server and found my private key they would then be able to use it to decrypt everything sent between the server and a client involved in a transaction with the server at that time? If this is the case does a compromise of the private key represent a significant weakness in the https model ?

Thanks
 
Old 03-08-2006, 10:52 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
This sounds strangely like a homework question. Is it?
 
Old 03-09-2006, 05:23 AM   #3
darkRoom
Member
 
Registered: Mar 2004
Location: Valencia, espaņa
Distribution: Slack, Gentoo, Custom
Posts: 162

Original Poster
Rep: Reputation: 30
Sorry it does have that ring to it, but ive been a member here for a while an i never ask homwork question's - i study spanish

But ive been reading a lot about ssh, and there doesn't seem to be much info about the private key. I gather its encrypted on the server and decrpyted before use but exactly how vulnerable is it on the server ? I was reading this article by ncipher:

http://ncipher.imarc.net/company/new..._to_ecommerce/

which is somewhat refuted by this article:

http://www.schneier.com/crypto-gram-...blicityAttacks

Which brings me back to asking, in your opinion, which part of the ssl transaction is the weakest ?
 
Old 03-09-2006, 05:53 AM   #4
James_dean
Member
 
Registered: Sep 2005
Posts: 41

Rep: Reputation: 15
If your a corporate entity then you use a certificate signing agency like verisign to make your certificates and keys for you and then you use these "Trusted" certificates on your site for users to download from you. You can make these certificates yourself but a warning message box will come up and warn the user that this site was not secured by a trusted authority. I take it your using linux. If you go onto any secure site on the internet after you have said that you wish to enter the secure site a little lock icon appears at the bottom of your browser. Click on this and it will give you a dialog box displaying details about where the certificate was signed. If it was bought from a trusted certificate authority then the certificate authority's name will be included in the information. The actual generation of the certificates and keys for a web site can be generated exactly the same way by yourself as an outside agency so its only the fact that its a "trusted" authority that makes them viable. It could be argued that if you make everything yourself that its safer as you have your private key yourself and not some outside agency. The fact is that a warning about security in any shape or form will worry a user so its best not to have it. The actual private key that you make needs to be of a certain strength or it is breakable 1024bit keys are the minimum i believe. If you want to know how to actually make these keys for your browser on linux or windows then there are tutorials that teach you how to do this. Hope this helps although it may be a bit vague.
 
Old 03-09-2006, 06:31 AM   #5
ncorreia
Member
 
Registered: Apr 2003
Distribution: Red Hat
Posts: 37

Rep: Reputation: 15
IMHO, should the private key be compromised, ssl connections already established will not be in danger(at least not expressely because of this). That is because they are using a symetric session key negotiated during ssl handshake. New connections will be indeed compromised.

hph,

NC
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The New Shop-Script PRO, Open Source PHP Ecommerce Solution ... LXer Syndicated Linux News 0 02-07-2006 02:46 PM
Ecommerce host` hytechpro Programming 1 09-19-2005 08:55 AM
Fatal weakness in Linux cov Linux - Software 71 07-05-2005 05:13 AM
Looking for a well known and respected ecommerce package jackasslinux Linux - Enterprise 1 10-12-2004 02:42 PM
What would you say is the most basic Linux weakness wayloud Linux - Security 3 12-09-2003 05:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration