[security] hide configuration parameters from commandline
Posted: Mon Jul 29, 2013 9:14 pmHi!
I am on linux and did setup ssl with own certificate.
if i use top/htop to see running processes one can read all parameters given to java, including keystore/privatekey password. So any user who may have acces to htop may retrive the private key used for ssl encryption.
This is verybad as the certificate may be used by other applications/services on other hosts.
programm itself shoul read those configurations from file which one could restrict access to, so not every user can retrive the private key.
1
I am on linux and did setup ssl with own certificate.
if i use top/htop to see running processes one can read all parameters given to java, including keystore/privatekey password. So any user who may have acces to htop may retrive the private key used for ssl encryption.
This is verybad as the certificate may be used by other applications/services on other hosts.
programm itself shoul read those configurations from file which one could restrict access to, so not every user can retrive the private key.
1