Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not entirely sure that's correct either. One could use a Hardware Security Module, such as the Thales nShield Connect[1], which will keep the private keys secure (at least in theory).

[1] http://www.thales-esecurity.com/Products/Hardware%20Security...



Interesting, I've used personal and server based HSMs for XML and PDF document signing applications, I didn't know you got them for SSL as well.


Yeah, there are known and used alternatives - I'm working on a project right now where the ssl connections terminate at the load balancers. Rooting the web servers won't reveal those private keys. But I also know of many whm/cpanel servers each with dozens of cpanel accounts, around half of which have ssl certs. One ftp password sniffed customer/cpanel account is probably enough to lose root to a whm box, exposing all the local ssl keys...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: