The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: RE: New Regs to kill DIY HA?


[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Re: [OT] Urgent question about https


  • Subject: Re: [OT] Urgent question about https
  • From: "mark_harrison_uk2" <mph@xxxxxxxxxxxxxxx>
  • Date: Fri, 17 Dec 2004 10:48:55 -0000



--- In ukha_d@xxxxxxx, Tony Lucas <tony@x> wrote:

> Besides which, if someone was to get access to their webserver
> logs, the entire site would probably be breached anyway.


In my experience, probably not.

Commercial site design these days means that all the _large_ etailers
are running 3 tier servers, with customer-specific information only
held in the database tier. That means that even if the webheads are
compromised (which could show the logs), then there's still a firewall
to compromise to get to the application tier, and yet another firewall
to compromise before you get to the database.

One of the biggest security criticisms of IIS is that it effectively
bundles the application server and the webhead tier and forces them to
run on the same machine, so you only have one level of security
between compromising the web tier and the database server.

Obviously, the vast bulk of my experience is with very large etailers,
who are spending an awful lot on site security. If the etailer in
question was small, then it's possible that everything just runs on a
single server.... in which case the compomising of that server trashes
everything :-(

M.






UKHA_D Main Index | UKHA_D Thread Index | UKHA_D Home | Archives Home

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.