Re: logging facility

["KeyFocus" <support () keyfocus net>]

From: "JWT Judd" <jwtjudd () att net>
> So, the honey pot has the decryption key?  Does it get this by being a
> replicant  of  the system initiating the secure session?

I had in mind a simple example of an SSL enabled web server running on a
Honeypot server.
What is needed is a unique server side certificate. This can be one signed
by yourself or one bought for the purpose.

> From: <urbn () visi com>
> What if someone compromised your honeypot, and then monitored any SSL
traffic
> that was decrypted?

In this case they would only be able to monitor traffic going to the
honeypot, which has no production value.

> Common sense would tell me to keep these logs (the
> decrypted SSL traffic) on a separate system,

That is a good idea. To be totaly secure the decrypted traffic should be
sent and logged to a secure server,
this should be encrypted using the public key of the secure logging server.

> but then why even have your
> honeypot decrypt it first. Better off just sending the encrypted packets
to the
> system that will be logging it anyways.
>
> Or am I missing something here?

If you do that then it will be impossible to decrypt the packets on the
secure server.

 - Tom
www.keyfocus.net