Re: Apache ap_getpass vulnerability

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 12:35 PM 06-11-2000 -0800, Jon Paul, Nollmann wrote:
> So smartcards, "secure" databases, one-way hardware, remote
> decryption, challenge-response hardware, coupled-firewall doing
> restarts through ssh, and anything else are all false solutions: the
> web server needs the unencrypted private key in memory for all time
> (or has to be able to decrypt the key with every new connection
> request) and therefore the unencrypted key is always available to
> anyone with local root access.

The webserver doesn't necessarily need the private key in memory. For
example the webserver could off load part of the SSL processing to some
hardware. And you can design the hardware so that there are two physical
interfaces. You can only write the key to the hardware using one interface
( you probably want to make your own keys, not use built-in ones ). The SSL
signing stuff is done using another interface. That would be a worthy
challenge to hack remotely from network eh? ;).

The hacker might be able to do funny things to your O/S etc and make you
look bad to Joe Average, but you won't have to revoke your certs.

People with physical access may still be able to get your certs. But hey
they might as well cart everything away using a "forklift attack" ;).

Have fun,
Link.