tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Better SSL connector setup
Date Wed, 10 Apr 2013 20:50:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 4/10/13 12:17 PM, Harris, Jeffrey E. wrote:
> 
> 
>> -----Original Message----- From: Christopher Schultz
>> [mailto:chris@christopherschultz.net] Sent: Wednesday, April 10,
>> 2013 12:09 PM To: Tomcat Users List Subject: Re: Better SSL
>> connector setup
>> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> André,
>> 
>> On 4/9/13 11:54 AM, André Warnier wrote:
>>> Harris, Jeffrey E. wrote:
>>>> Chris,
>>>> 
>>>>> -----Original Message----- From: Christopher Schultz 
>>>>> [mailto:chris@christopherschultz.net] Sent: Tuesday, April
>>>>> 09, 2013 10:01 AM To: Tomcat Users List Subject: Re: Better
>>>>> SSL connector setup
>>>>> 
>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>> 
>>>>> Jeffrey,
>>>>> 
>>>>> On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
>>>>>> 
>>>>>>> -----Original Message----- From: André Warnier 
>>>>>>> [mailto:aw@ice-
>>>>> sa.com]
>>>>>>> Sent: Tuesday, April 09, 2013 6:04 AM To: Tomcat Users
>>>>>>> List Subject: Re: Better SSL connector setup
>>>>>>> 
>>>>>>> Christopher Schultz wrote:
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>>>> 
>>>>>> You can improve the performance of the existing RS-232
>>>>>> modem pool by doing some ROT-13 and Fourier transforms
>>>>>> prior to data
>> encoding.
>>>>>> However, this does require the equivalent capability on
>>>>>> the receiving side.
>>>>> - -1
>>>>> 
>>>>> Using ROT-13 can certainly improve the security of your
>>>>> data in-transit and *is* a NIST recommendation, but it
>>>>> unfortunately
>> does
>>>>> not improve performance as it introduces an additional
>>>>> operation in the pipeline. As usual, real security is a
>>>>> trade-off between convenience (here, speed) and actual
>>>>> security (the superior cipher algorithm ROT-13). I believe
>>>>> recent versions of OpenSSL (0.9.1c?) include the new
>>>>> ROT13-XOR- MD2 cipher, but since it is optimized
>> for
>>>>> 8-bit processors you need to make sure to have a modern CPU
>>>>> -- I recommend one of the "DX2" Intel processors.
>>>>> 
>>>> 
>>>> Okay, it does not improve performance, but it sure confuses
>>>> the heck out of man-in-the-middle attacks!
>>>> 
>>>>> As for Fourier transforms, that's just security through
>>>>> obscurity (though it's pretty good obscurity). "Fast"
>>>>> Fourier transforms also work best with data sizes that are
>>>>> powers-of-two in length and so your throughput can
>>>>> experience odd pulsing behavior while your buffers fill
>>>>> waiting to be transformed. Unless you have one of the 
>>>>> aforementioned "DX2" style processors coupled with a
>>>>> V.22bis-capable device, you are probably not going to be
>>>>> able to keep up with all the traffic your Gopher server is
>>>>> likely to generate.
>>>>> 
>>>> 
>>>> Well, I was focusing on performance here, not security.  And
>>>> if I
>> use
>>>> my Amiga 1000, I can invoke hardware security because of the 
>>>> non-standard RS-232 port (just try and connect a regular
>>>> RS-232
>> cable
>>>> to that system, and see how quickly the modem shorts out!),
>>>> and because the instruction set uses Motorola 68000
>>>> instructions, not
>> DX2
>>>> Intel instructions.
>>>> 
>>> That's not really security either.  Any common optical RS-232
>> isolator
>>> (like the one shown here : 
>>> http://www.commfront.com/rs232-rs485-rs422-serial-converters/RS232-
>>
>>> 
Iso
>>> lator-7-wire.htm)
>>> 
>>> will easily overcome that issue. I started using these
>>> everywhere after I blew up the line drivers of my Soroc
>>> terminal a couple of times by forgetting to switch it off
>>> before I unplugged it. I don't know what the optical nature of
>>> the isolator does to the security by obscurity aspect though, I
>>> suspect that it may make a man-in-the-middle attack easier (as
>>> long as the man is not really in the middle physically of
>>> course). For SSL however, due to the higher bitrate, I would
>>> recommend a conversion to RS485 (with this e.g. : 
>>> http://www.szatc.com/english/showpro.asp?articleid=169) (beware
>>> of embedded Trojans though).
>> 
>> USB is just a fad. Stick with SCSI unless you want to have a
>> whole lot of useless hardware in 18 months.
>> 
>>> Also, for your Amiga, you may want to consider swapping the
>>> 68000 processor by a 68010. It is pin-compatible and provides a
>>> significant speed boost, maybe enough to allow you to switch
>>> from a 48-bit encryption scheme to a 128-bit scheme.
>> 
>> Don't forget to install the Microsoft High Encryption pack, or
>> your browsers won't be able to decrypt that stuff. I think you
>> have to register with the DOD in order to deploy ciphers of that
>> strength.
>> 
>> - -chris
> 
> I will just convert everything into machine code.  The Motorola
> processors and AmigaOS use Big-Endian, and Intel processes use
> Little-Endian, so that will just confuse anyone who uses Intel
> hardware and most operating systems, particularly if I just overlay
> the results with the Beatles' "Helter Skelter" played backwards and
> sampled at 11.025KHz.

Get yourself a DEC Alpha and write an algorithm that switches
endian-ness halfway through the process. Good luck debugging that.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZdCoAAoJEBzwKT+lPKRYZBUQAMOkfJUZb7DieVp5sZTY1EVe
/Ty7uI0aZpPx1ExjDSXo393Qz3sMFtwzCIUr1vDLLvPdX7gDmZSHHVXZZ8R8JAwi
VPLqr50PR3T0fghNBWqjCOVtxweXGUWclMTFqCVd7UIvdOQnq4aFRVtWdrdDxwJz
zNAl4Vz0BhNcu1+tdG9OiTC3YBsgWP/BCQPNigbVO7IGJyp6hMUomM/350q0TGg1
5JhNdc0Cgzed3mhA0qAqucePeouEPrs+pH883xCjOkQsXncuDBMf1HBszHTf8Iy4
+ACU3sAjWOjkYBMavNgK1yfH3W7vSLuM9FGxrbhwNo+ttLkFp8sxYiY7oA2pZ2iY
Gnq8nmrU3Lz7AmMKR3jEe/HXL62jpBzJV8dIYjI8uGdOzg654BHU/ZnbCrV3UFrD
vIS/tBasODOsvwgtVI9KE8i24kUw+kAwMI/h7rAXiWchlU2+mc4N5zn5W6IiQM4X
wbD4NUGnqoOcto/8qt4F8Qe1WrJLWlvrwDssFQkEnIg0SryYdM5/balHDhW0mBkM
vjC0lNQk7363uvxTJlVXpdXk5f/9WlACSUYhssRRN1/GZscX8suemFOYfas6Nveu
fBAh36Sud6jzoqSaZHQ32zL5ekw7qZluhvTXmsV9ACspXg/OW3T2vLO+LIaTwTCg
JcVTE8XJVlrgtavTLEHg
=sVOL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message