[Message Prev][Message
Next][Thread Prev][Thread Next][Message
Index][Thread Index]
Re: [OT] Urgent question about https
- Subject: Re: [OT] Urgent question about https
- From: "mark_harrison_uk2" <mph@xxxxxxxxxxxxxxx>
- Date: Fri, 17 Dec 2004 10:48:55 -0000
--- In ukha_d@xxxxxxx, Tony Lucas <tony@x> wrote:
> Besides which, if someone was to get access to their webserver
> logs, the entire site would probably be breached anyway.
In my experience, probably not.
Commercial site design these days means that all the _large_ etailers
are running 3 tier servers, with customer-specific information only
held in the database tier. That means that even if the webheads are
compromised (which could show the logs), then there's still a firewall
to compromise to get to the application tier, and yet another firewall
to compromise before you get to the database.
One of the biggest security criticisms of IIS is that it effectively
bundles the application server and the webhead tier and forces them to
run on the same machine, so you only have one level of security
between compromising the web tier and the database server.
Obviously, the vast bulk of my experience is with very large etailers,
who are spending an awful lot on site security. If the etailer in
question was small, then it's possible that everything just runs on a
single server.... in which case the compomising of that server trashes
everything :-(
M.
UKHA_D Main Index |
UKHA_D Thread Index |
UKHA_D Home |
Archives Home
|