Unencrypted Channel From Web Server To App Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is it correct to say that in a typical Browser-Apache Web Server-Tomcat App Server setup, the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted?  If I am correct that this is the "usual" setup, then isn't this a pretty big security flaw since the DMZ is supposed be only "partly" safe?

If someone were to crack into the DMZ and could sniff network traffic, then they could in theory listen in to traffic and grab all of it in an unencrypted state (which may include credit card information, usernames, passwords etc).


Jim

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux