home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] wget passphrase

I hate to dogpile, but yup, security is a process. If you could add
security to a product the way you add condiments to a burger at
Harvey's, the world would be a much safer place!

That said, it sounds like you have a Linux system which users don't
routinely access (in other words, it boots and runs the programs you
want, but there's no default terminal access through sshd, a monitor,
or otherwise) The reason you put a passphrase on a certificate is to
protect the certificate from theft and malicious use - so if for some
reason the certificate file itself may be vulnerable to copying or
reading, you secure it with a passphrase which can't be copied as
easily (it's in somebody's head, it's in a script that most users
can't read, etc.)

So in your case, I think that the security ramifications of using a
certificate with or without a passphrase are the same - you're
primarily concerned about attacks at the network level, including
traffic capture and analysis or man in the middle attacks. Both kinds
of certificate behave the same way in that regard.

I'm taking some guesses there, please correct any poor assumptions.


On Thu, Apr 1, 2010 at 9:59 AM, Spencer Cheng <scheng [ at ] aotera [ dot ] org> wrote:
> On Wed, Mar 31, 2010 at 14:55:04 -0400, piper.guy1 wrote:
>> On Wed, Mar 31, 2010 at 2:35 PM, Joe Burpee <jeb [ at ] burkby [ dot ] com> wrote:
>>> On Wed, Mar 31, 2010 at 12:54:20 -0400, piper.guy1 wrote:
>>>> 1. Can you create PEM's in OpenSSL without a passphrase?
>>> openssl req -nodes ...
>> Now, as a newbie to security, what's my risk exposure?
> It's not that simple. How secure your system is a function of your threat model, how the system is designed and how it is implemented. Adding a certificate without password may or may not affect the security level of your system.
> Regards,
> Spencer
> _______________________________________________
> Linux mailing list
> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> http://oclug.on.ca/mailman/listinfo/linux

Evil will always triumph, because good is dumb


message navigation