Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apache ap_getpass vulnerability

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Wed, 8 Nov 2000 21:30:54 +0100
signing stuff is done using another interface. That would be a worthy
challenge to hack remotely from network eh? ;).


Mayhap not. E.g if it performs requested RSA calculations only, with no
sanity checks or insuffient ones, there are known attacks. A team of
crypographers could penetrate it. Flawed RSA products do exists, RSA's own
PKI suit was flawed some versions ago (quite some media attention a few
years back).

An interesting question is, are most SSL products developed by merely
software/hdl coders, or are they inspected by cryptographers? And is the
SSL "black-box" configurable? If so is that interface truely secure?

I'm not saying that there are flaws in any mayor SSL product, but I think
one should note that they *may* be flawed. "Black boxes" aren't always as
secure as one might think.

In principle, it's an good idea though, to move private keys out of
webserver memory.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe
Previous By Date Next
Previous By Thread Next

Current thread: