Re: PKI/SSL Client/Server Certificate Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 13 Jan 2006, Tom Lane wrote:

"Brian A. Seklecki" <lavalamp@xxxxxxxxxxxxxxxxxxxxxx> writes:
If a "bad person" were to somehow obtain a copy of the source code with a
password embedded in the connect string (Steal it from a developer who
uses Windows, or maybe convince Apache to not interpret PHP before sending
to the client, something stupid like that), they would still be unable to
connect without a client certificate.

So they steal the client certificate file instead of (the file
containing) the password.  How exactly is this more secure?

You'd have to get a local shell on the server *plus* the password.

If a hacker can get a local shell on your web server (not a multi-user environment, obviously), and the Web server isn't in a jail, then they've probably got your database server too, and you might as well pack up and head home.

But with OCSP, the CA for the organization can revoke the validity of a Cert at any time by updating the CRL.

The password is entirely optional for the user. When you've got a Vhost running multiple Apps talking to the same BD, and the Web servers runs as the "www" or "http" user, you can even plug multiple database user passwords into user ~/www/.pgpass and the username is mapped via the Client X.509 cert.

In short, it's a deterrent to hackers and a convenience to admins. But we all know if someone wants in, they'll get in and it won't be some kind of attack a weakness in X.509 PKI, it will be the develpoer on Windows that opens the e-mail with the attachment (or image file!)

~BAS


			regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend


l8*
	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux