tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Better SSL connector setup
Date Tue, 09 Apr 2013 15:54:07 GMT
Harris, Jeffrey E. wrote:
> Chris,
> 
>> -----Original Message-----
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Sent: Tuesday, April 09, 2013 10:01 AM
>> To: Tomcat Users List
>> Subject: Re: Better SSL connector setup
>>
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Jeffrey,
>>
>> On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
>>>
>>>> -----Original Message----- From: André Warnier [mailto:aw@ice-
>> sa.com]
>>>> Sent: Tuesday, April 09, 2013 6:04 AM To:
>>>> Tomcat Users List Subject: Re: Better SSL connector setup
>>>>
>>>> Christopher Schultz wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>
>>> You can improve the performance of the existing RS-232 modem pool by
>>> doing some ROT-13 and Fourier transforms prior to data encoding.
>>> However, this does require the equivalent capability on the receiving
>>> side.
>> - -1
>>
>> Using ROT-13 can certainly improve the security of your data in-transit
>> and *is* a NIST recommendation, but it unfortunately does not improve
>> performance as it introduces an additional operation in the pipeline.
>> As usual, real security is a trade-off between convenience (here,
>> speed) and actual security (the superior cipher algorithm ROT-13). I
>> believe recent versions of OpenSSL (0.9.1c?) include the new ROT13-XOR-
>> MD2 cipher, but since it is optimized for 8-bit processors you need to
>> make sure to have a modern CPU -- I recommend one of the "DX2" Intel
>> processors.
>>
> 
> Okay, it does not improve performance, but it sure confuses the heck out
> of man-in-the-middle attacks!
> 
>> As for Fourier transforms, that's just security through obscurity
>> (though it's pretty good obscurity). "Fast" Fourier transforms also
>> work best with data sizes that are powers-of-two in length and so your
>> throughput can experience odd pulsing behavior while your buffers fill
>> waiting to be transformed. Unless you have one of the aforementioned
>> "DX2" style processors coupled with a V.22bis-capable device, you are
>> probably not going to be able to keep up with all the traffic your
>> Gopher server is likely to generate.
>>
> 
> Well, I was focusing on performance here, not security.  And if I use my Amiga
> 1000, I can invoke hardware security because of the non-standard RS-232 port
> (just try and connect a regular RS-232 cable to that system, and see how quickly
> the modem shorts out!), and because the instruction set uses Motorola 68000
> instructions, not DX2 Intel instructions.
> 
That's not really security either.  Any common optical RS-232 isolator (like the one shown

here : http://www.commfront.com/rs232-rs485-rs422-serial-converters/RS232-Isolator-7-wire.htm)
will easily overcome that issue. I started using these everywhere after I blew up the line

drivers of my Soroc terminal a couple of times by forgetting to switch it off before I 
unplugged it. I don't know what the optical nature of the isolator does to the security by

obscurity aspect though, I suspect that it may make a man-in-the-middle attack easier (as

long as the man is not really in the middle physically of course).
For SSL however, due to the higher bitrate, I would recommend a conversion to RS485 (with

this e.g. :  http://www.szatc.com/english/showpro.asp?articleid=169)
(beware of embedded Trojans though).
Also, for your Amiga, you may want to consider swapping the 68000 processor by a 68010. It

is pin-compatible and provides a significant speed boost, maybe enough to allow you to 
switch from a 48-bit encryption scheme to a 128-bit scheme.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message