tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Better SSL connector setup
Date Wed, 10 Apr 2013 16:09:04 GMT
Hash: SHA256


On 4/9/13 11:54 AM, André Warnier wrote:
> Harris, Jeffrey E. wrote:
>> Chris,
>>> -----Original Message----- From: Christopher Schultz
>>> [] Sent: Tuesday, April 09,
>>> 2013 10:01 AM To: Tomcat Users List Subject: Re: Better SSL
>>> connector setup
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> Jeffrey,
>>> On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
>>>>> -----Original Message----- From: André Warnier
>>>>> [mailto:aw@ice-
>>>>> Sent: Tuesday, April 09, 2013 6:04 AM To: Tomcat Users List
>>>>> Subject: Re: Better SSL connector setup
>>>>> Christopher Schultz wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>> You can improve the performance of the existing RS-232 modem
>>>> pool by doing some ROT-13 and Fourier transforms prior to
>>>> data encoding. However, this does require the equivalent
>>>> capability on the receiving side.
>>> - -1
>>> Using ROT-13 can certainly improve the security of your data
>>> in-transit and *is* a NIST recommendation, but it unfortunately
>>> does not improve performance as it introduces an additional
>>> operation in the pipeline. As usual, real security is a
>>> trade-off between convenience (here, speed) and actual security
>>> (the superior cipher algorithm ROT-13). I believe recent
>>> versions of OpenSSL (0.9.1c?) include the new ROT13-XOR- MD2
>>> cipher, but since it is optimized for 8-bit processors you need
>>> to make sure to have a modern CPU -- I recommend one of the
>>> "DX2" Intel processors.
>> Okay, it does not improve performance, but it sure confuses the
>> heck out of man-in-the-middle attacks!
>>> As for Fourier transforms, that's just security through
>>> obscurity (though it's pretty good obscurity). "Fast" Fourier
>>> transforms also work best with data sizes that are
>>> powers-of-two in length and so your throughput can experience
>>> odd pulsing behavior while your buffers fill waiting to be
>>> transformed. Unless you have one of the aforementioned "DX2"
>>> style processors coupled with a V.22bis-capable device, you
>>> are probably not going to be able to keep up with all the
>>> traffic your Gopher server is likely to generate.
>> Well, I was focusing on performance here, not security.  And if I
>> use my Amiga 1000, I can invoke hardware security because of the
>> non-standard RS-232 port (just try and connect a regular RS-232
>> cable to that system, and see how quickly the modem shorts out!),
>> and because the instruction set uses Motorola 68000 instructions,
>> not DX2 Intel instructions.
> That's not really security either.  Any common optical RS-232
> isolator (like the one shown here : 
>  will easily overcome that issue. I started using these everywhere
> after I blew up the line drivers of my Soroc terminal a couple of
> times by forgetting to switch it off before I unplugged it. I don't
> know what the optical nature of the isolator does to the security
> by obscurity aspect though, I suspect that it may make a
> man-in-the-middle attack easier (as long as the man is not really
> in the middle physically of course). For SSL however, due to the
> higher bitrate, I would recommend a conversion to RS485 (with this
> e.g. : 
> (beware of embedded Trojans though).

USB is just a fad. Stick with SCSI unless you want to have a whole lot
of useless hardware in 18 months.

> Also, for your Amiga, you may want to consider swapping the 68000 
> processor by a 68010. It is pin-compatible and provides a
> significant speed boost, maybe enough to allow you to switch from a
> 48-bit encryption scheme to a 128-bit scheme.

Don't forget to install the Microsoft High Encryption pack, or your
browsers won't be able to decrypt that stuff. I think you have to
register with the DOD in order to deploy ciphers of that strength.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message