GoFuckYourself.com - Adult Webmaster Forum - View Single Post

PowerCum · 04-25-2003, 01:42 AM

To target me? What do you mean? to hack my server?

If you are about to hack someones server you do not care about who has signed his certificate. The only thing you care is what soft is running the box and what company does host it.

If you care about surfers, they do not know who verisign is. I personally trust a signature signed by domain.com that runs on domain.com instead of a signature signed by another-domain.com running on domain.com.

Also I have been on several Thawte security conferences, and I can asure you that their model of server security is ... installing their certificates your server is secure... WRONG! Installing a SSL certificate only makes the connection between the server and the user to be encrypted. This way it is supposed that if someone is sniffing the user connection the user data will be safe... WRONG! If he sniffs the surfer connection from the beeginning then he will have the same data the surfer's browser has to decrypt the page, just the hax0r will need a little more work to do that. If the hax0r is skilled enought, he will perform a man in the middle attack and he will not only decrypt the connection, but also will be able to modify parameters.

If you want to have a secure server, you have to really work your ass hard to secure the system. When I say secure the system, I mean that it's not only the Apache server, it's the whole system. Also, installing the newest patches is not a valid method to have a secure system, it only fixes some of the bugs. You have to tune up all the system services configuration, and make several extra patches.

If you want your tech unalphabetical surfers to think they are on a secure system, then install a ssl certificate and you are done, but for real security, the ssl certificate is something almost irrelevant and only stops stupid 16 years kids that think they 0wn th4 m4tr1x, and still the 16 years stupid kid will be able to hack the box if you only install the certificate and the rest is an out of the box install (default configuration).

If you want some extra security info

http://www.securityfocus.com
http://packetstorm.widexs.nl

04-25-2003, 01:42 AM
PowerCum CjOverkill Industry Role: Join Date: Apr 2003 Location: Woldwide Posts: 1,328	To target me? What do you mean? to hack my server? If you are about to hack someones server you do not care about who has signed his certificate. The only thing you care is what soft is running the box and what company does host it. If you care about surfers, they do not know who verisign is. I personally trust a signature signed by domain.com that runs on domain.com instead of a signature signed by another-domain.com running on domain.com. Also I have been on several Thawte security conferences, and I can asure you that their model of server security is ... installing their certificates your server is secure... WRONG! Installing a SSL certificate only makes the connection between the server and the user to be encrypted. This way it is supposed that if someone is sniffing the user connection the user data will be safe... WRONG! If he sniffs the surfer connection from the beeginning then he will have the same data the surfer's browser has to decrypt the page, just the hax0r will need a little more work to do that. If the hax0r is skilled enought, he will perform a man in the middle attack and he will not only decrypt the connection, but also will be able to modify parameters. If you want to have a secure server, you have to really work your ass hard to secure the system. When I say secure the system, I mean that it's not only the Apache server, it's the whole system. Also, installing the newest patches is not a valid method to have a secure system, it only fixes some of the bugs. You have to tune up all the system services configuration, and make several extra patches. If you want your tech unalphabetical surfers to think they are on a secure system, then install a ssl certificate and you are done, but for real security, the ssl certificate is something almost irrelevant and only stops stupid 16 years kids that think they 0wn th4 m4tr1x, and still the 16 years stupid kid will be able to hack the box if you only install the certificate and the rest is an out of the box install (default configuration). If you want some extra security info http://www.securityfocus.com http://packetstorm.widexs.nl __________________ CjOverkill Traffic Trading Script Free, secure and fast traffic trading script. Get your copy now