Date: Sat, 14 May 2005 23:07:06 +1000 From: "Drew B. [Security Expertise/Freelance Security research]." <d4rkstorm@gmail.com> To: Joe Schmoe <non_secure@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: different ways to disable https in apache... Message-ID: <245f0df105051406074418cae@mail.gmail.com> In-Reply-To: <20050513155454.63841.qmail@web53302.mail.yahoo.com> References: <20050513155454.63841.qmail@web53302.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
What kinds of attacks might I _not_ be insulating myself against by simply not running SSL, vs. reinstalling without it ? A quick one; SSL as you know encrypts that link and makes it secure,hence the 'handshake' name so without this, you are opening your port 80 to any connection,that is bottom line. If you look at i on a 'grande' scale it aint such a big deal, for some people it would be seen as a no, but then how many sites do you see running Only SSL clients? Not many.... it all depends on who you want to attract. My opinion - depending on your confidence in your own web skills, and your familiarity with apache itself i would use it and monitor port 80 alot more than previous, also note your traffice will most likely increase. As for actual exploitations, i cannot disclose that information simply, but it will always be vulnerable without a vigilant web admin anyhow, i say go for it. Regards, Drew. On 5/14/05, Joe Schmoe <non_secure@yahoo.com> wrote: > Hello, >=20 > I built apache+openssl+mod_ssl. It is working fine, > and I have been starting the server with: >=20 > apachectl startssl >=20 > Recently, however, I have decided that I will not be > doing anything over https (for a while, at least) with > this web server, so for security reasons, I want to > only run on port 80. >=20 > So now I start the server with: >=20 > apachectl start >=20 > And it runs without SSL. My question is, is starting > the SSl enabled apache like this, and running it > without SSL exactly the same security-wise as running > a copy of apache without SSL at all ? That is, SSL > libraries, etc., can have vulnerabilities in them, and > am I still vulnerable to those problems even if I am > running only on port 80 ? >=20 > What kinds of attacks might I _not_ be insulating > myself against by simply not running SSL, vs. > reinstalling without it ? >=20 > thanks, >=20 > __________________________________ > Yahoo! Mail Mobile > Take Yahoo! Mail with you! Check email on your mobile phone. > http://mobile.yahoo.com/learn/mail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 --=20 -------------------------------------------------------------------- Drew B. Independant Security analysis,for Aussies. Security researcher/expert,threat-focus,Freelance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?245f0df105051406074418cae>