You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1997/07/09 18:58:31 UTC

from the mod_perl list

tee hee

---------- Forwarded message ----------
Date: Wed, 9 Jul 1997 11:08:34 -0400
From: Lincoln Stein <ls...@GENOME.WI.MIT.EDU>
To: MODPERL@LISTPROC.ITRIBE.NET
Subject: Re: netcraft June survey

Here's a fun example of "security through obscurity" that I recently
learned about.

Unlike other SSL servers, Microsoft IIS does not ask for a passphrase
to unlock its RSA private key at boot time.  Why is this?  It turns
out that IIS encrypts the private key with something called the
"System Key", then obfuscates the system key with an unpublished
algorithm and hides it in the system registry (at an unknown
location).  It sounds like they're hiding the keys to the company
vault under the doormat!

Lincoln