tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Better SSL connector setup
Date Wed, 10 Apr 2013 16:09:04 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 4/9/13 11:54 AM, André Warnier wrote:
> Harris, Jeffrey E. wrote:
>> Chris,
>> 
>>> -----Original Message----- From: Christopher Schultz
>>> [mailto:chris@christopherschultz.net] Sent: Tuesday, April 09,
>>> 2013 10:01 AM To: Tomcat Users List Subject: Re: Better SSL
>>> connector setup
>>> 
>> 
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> 
>>> Jeffrey,
>>> 
>>> On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
>>>> 
>>>>> -----Original Message----- From: André Warnier
>>>>> [mailto:aw@ice-
>>> sa.com]
>>>>> Sent: Tuesday, April 09, 2013 6:04 AM To: Tomcat Users List
>>>>> Subject: Re: Better SSL connector setup
>>>>> 
>>>>> Christopher Schultz wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>> 
>>>> You can improve the performance of the existing RS-232 modem
>>>> pool by doing some ROT-13 and Fourier transforms prior to
>>>> data encoding. However, this does require the equivalent
>>>> capability on the receiving side.
>>> - -1
>>> 
>>> Using ROT-13 can certainly improve the security of your data
>>> in-transit and *is* a NIST recommendation, but it unfortunately
>>> does not improve performance as it introduces an additional
>>> operation in the pipeline. As usual, real security is a
>>> trade-off between convenience (here, speed) and actual security
>>> (the superior cipher algorithm ROT-13). I believe recent
>>> versions of OpenSSL (0.9.1c?) include the new ROT13-XOR- MD2
>>> cipher, but since it is optimized for 8-bit processors you need
>>> to make sure to have a modern CPU -- I recommend one of the
>>> "DX2" Intel processors.
>>> 
>> 
>> Okay, it does not improve performance, but it sure confuses the
>> heck out of man-in-the-middle attacks!
>> 
>>> As for Fourier transforms, that's just security through
>>> obscurity (though it's pretty good obscurity). "Fast" Fourier
>>> transforms also work best with data sizes that are
>>> powers-of-two in length and so your throughput can experience
>>> odd pulsing behavior while your buffers fill waiting to be
>>> transformed. Unless you have one of the aforementioned "DX2"
>>> style processors coupled with a V.22bis-capable device, you
>>> are probably not going to be able to keep up with all the
>>> traffic your Gopher server is likely to generate.
>>> 
>> 
>> Well, I was focusing on performance here, not security.  And if I
>> use my Amiga 1000, I can invoke hardware security because of the
>> non-standard RS-232 port (just try and connect a regular RS-232
>> cable to that system, and see how quickly the modem shorts out!),
>> and because the instruction set uses Motorola 68000 instructions,
>> not DX2 Intel instructions.
>> 
> That's not really security either.  Any common optical RS-232
> isolator (like the one shown here : 
> http://www.commfront.com/rs232-rs485-rs422-serial-converters/RS232-Isolator-7-wire.htm)
>
>  will easily overcome that issue. I started using these everywhere
> after I blew up the line drivers of my Soroc terminal a couple of
> times by forgetting to switch it off before I unplugged it. I don't
> know what the optical nature of the isolator does to the security
> by obscurity aspect though, I suspect that it may make a
> man-in-the-middle attack easier (as long as the man is not really
> in the middle physically of course). For SSL however, due to the
> higher bitrate, I would recommend a conversion to RS485 (with this
> e.g. : http://www.szatc.com/english/showpro.asp?articleid=169) 
> (beware of embedded Trojans though).

USB is just a fad. Stick with SCSI unless you want to have a whole lot
of useless hardware in 18 months.

> Also, for your Amiga, you may want to consider swapping the 68000 
> processor by a 68010. It is pin-compatible and provides a
> significant speed boost, maybe enough to allow you to switch from a
> 48-bit encryption scheme to a 128-bit scheme.

Don't forget to install the Microsoft High Encryption pack, or your
browsers won't be able to decrypt that stuff. I think you have to
register with the DOD in order to deploy ciphers of that strength.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZY6gAAoJEBzwKT+lPKRYRlEP/1ejlObFxUBurd1olB/iPPOm
YjkaIltCTAlRop9NsaLGJwU4Mgn5gUHVXD+3j/UpnfVt8i6EIVkKcAjQRAlaWE/Y
G6GXfueW8Pc1Rm8geOMuwtQkvAE5p3rpryP7xWdEps3fFdMgK8VFlsgmvazeAXAC
VVVfX5xQ/7f2hwrk557Ukw/jfKYtaIoayacQWWZ0fOS1Lvt68SKsWZpsljF/Vczb
0Vkc5I22Y7jMXQWXlcSAPegrLkVSflibhXG88riM9E3DkRFlFl62RcDHU2RcvihM
vWNr5xPOvte7e+dONAbSSgonwV8fisood6S0nOv2y2k/lSoCO2sdUySoLHRKuOtK
MF20kyA46soYRyHUGeUOo3TtmGQtOBzXhZPbPKw6M8208TkT/mmFFw6RvgmCWz1s
N6EIEl1mUYh+aRyli+6q4o1HoNCRWf9UfbBf8DWTP6OoD8LDe3Ma/2kSuZBW5AeP
ph/MeKrSD+5ic8ejcdebTZRaOmbF8kiciMFDSgEvI8Nf+z06w9RRilLIVXmr4+BG
UplszBh65ydZ/mtoh4tBurvWlJNe788xXgG+rzyQzTbwuZKieMhSlS4THjrEIRZ6
exBBYFWGsAK0k4QskWv72LF4h9lE9S1069B/6/SntKZnBpsOBvVm9t+cHJYLJ+dL
FpLJKheO7JsOO9/LbOog
=HV8W
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message