Andreas S. said the following on 03/04/2007 07:38 AM:
It doesn’t make any sense to use the key on a test server - a
self-signed key is sufficient for testing - so even if an attacker
manages to break into the test server, he still needs to break into the
main server to steal the key.
True, bit you’re missing the point. The wildcard covers your whole
Once on the test server an attacker can use that as a platform to gain
information and launch other attack. He’s “inside” the ‘ring of
now. His view of what’s valuable and your view may differ. He may not
out to steal your cert, he might want to use your platform to run some
to carry out a DDoS on another site, act as a site for some phishing
expedition, store warez, store child pornography for a ring, act as a
store/server of material that is violating copyright such as movies or
songs. Who knows. Whatever: its your loss, your cost - perhaps legal
proving you weren’t culpable. Maybe the DMCA police cart off your
& software and you have to institute legal action to get it back.
All this has happened out there in the real world.
You are right that in theory it increases
the risk a little bit, because the attacker has to use the main server
only for stealing the key, not to set up his evil application, but the
whole thing is still a rather far-fetched scenario.
All attack models seem far fetched to the site owners, I’ve found, until
hackers come along and demonstrate more creativity and ingenuity than we
expected. That has been the consistent history of network and host
security. “I didn’t think they could do that” - but they did!
The point isn’t that about what you think possible but that that you’ve
opened up a whole new set of avenues without instituting specific
to address them.
There is always a
tradeoff between security and cost/effort, and I think using a wildcard
certificate is a good tradeoff.
It seems far removed from your original issue.
Black channels of unknown song
Whisper through your walls