Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Tue, 7 Nov 2000 09:49:27 +0800
At 12:35 PM 06-11-2000 -0800, Jon Paul, Nollmann wrote:
So smartcards, "secure" databases, one-way hardware, remote decryption, challenge-response hardware, coupled-firewall doing restarts through ssh, and anything else are all false solutions: the web server needs the unencrypted private key in memory for all time (or has to be able to decrypt the key with every new connection request) and therefore the unencrypted key is always available to anyone with local root access.
The webserver doesn't necessarily need the private key in memory. For example the webserver could off load part of the SSL processing to some hardware. And you can design the hardware so that there are two physical interfaces. You can only write the key to the hardware using one interface ( you probably want to make your own keys, not use built-in ones ). The SSL signing stuff is done using another interface. That would be a worthy challenge to hack remotely from network eh? ;). The hacker might be able to do funny things to your O/S etc and make you look bad to Joe Average, but you won't have to revoke your certs. People with physical access may still be able to get your certs. But hey they might as well cart everything away using a "forklift attack" ;). Have fun, Link.
Current thread:
- Re: Apache ap_getpass vulnerability, (continued)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
- Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 10)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 06)