• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

SSL Keys, Is This Secure?

Z

Zach

Diamond Member
So, I want to encrypt my POP3 with SSL. I enabled pop3s in Xinetd, and set Outlook Express (talk about me being into security, eh?) to use SSL with my server, port 995. THings work fine, except the default cert is invalid. So I made a new ipop3.pem out of the server.key and server.crt used for a website on the server. Aside from having to get email from www.thedomain.com (instead of mail), it works great. I used a packet sniffer and no passwords or sensitive data are being sent.

But, How careful should I be with my server.key? It looks like the cert itself is thrown around everywhere, but the key I don't know about it. All I know is that two years ago I followed some instructions to make one, and not much has told me about the importance/significance of the key.
 
The key (if I am thinking of the correct key) is important enough that it should NEVER touch the hard drive of that system.
 
But why then, need it be inside of the ipop3.pem? Hmm. I could try taking it out and seeing if openssl cares.

I also was under the impression that keys should not be publically readable, but had read that chmoding to 600 is good enough. If someone gets root, then they can do whatever they want to your encryption...
 


<< But why then, need it be inside of the ipop3.pem? Hmm. I could try taking it out and seeing if openssl cares.

I also was under the impression that keys should not be publically readable, but had read that chmoding to 600 is good enough. If someone gets root, then they can do whatever they want to your encryption... >>



I have no clue how ipop3 works so I cant help you with that specifically. 600 should be fine for it, but keeping the keys off of the hard drive is the best solution. Then no one can mess with it (unless they can edit stuff stored in RAM really well). And if someone gets root, you have a lot more problems than just worrying about your encryption 😉
 
The server handles ecommerce, so loosing credit card numbers is a much bigger deal than loosing a server.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top