tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harris, Jeffrey E." <Jeffrey.Har...@ManTech.com>
Subject RE: Better SSL connector setup
Date Wed, 10 Apr 2013 16:17:58 GMT


> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Wednesday, April 10, 2013 12:09 PM
> To: Tomcat Users List
> Subject: Re: Better SSL connector setup
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> André,
>
> On 4/9/13 11:54 AM, André Warnier wrote:
> > Harris, Jeffrey E. wrote:
> >> Chris,
> >>
> >>> -----Original Message----- From: Christopher Schultz
> >>> [mailto:chris@christopherschultz.net] Sent: Tuesday, April 09,
> >>> 2013 10:01 AM To: Tomcat Users List Subject: Re: Better SSL
> >>> connector setup
> >>>
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> >>>
> >>> Jeffrey,
> >>>
> >>> On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
> >>>>
> >>>>> -----Original Message----- From: André Warnier
> >>>>> [mailto:aw@ice-
> >>> sa.com]
> >>>>> Sent: Tuesday, April 09, 2013 6:04 AM To: Tomcat Users List
> >>>>> Subject: Re: Better SSL connector setup
> >>>>>
> >>>>> Christopher Schultz wrote:
> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> >>>>>>
> >>>> You can improve the performance of the existing RS-232 modem pool
> >>>> by doing some ROT-13 and Fourier transforms prior to data
> encoding.
> >>>> However, this does require the equivalent capability on the
> >>>> receiving side.
> >>> - -1
> >>>
> >>> Using ROT-13 can certainly improve the security of your data
> >>> in-transit and *is* a NIST recommendation, but it unfortunately
> does
> >>> not improve performance as it introduces an additional operation in
> >>> the pipeline. As usual, real security is a trade-off between
> >>> convenience (here, speed) and actual security (the superior cipher
> >>> algorithm ROT-13). I believe recent versions of OpenSSL (0.9.1c?)
> >>> include the new ROT13-XOR- MD2 cipher, but since it is optimized
> for
> >>> 8-bit processors you need to make sure to have a modern CPU -- I
> >>> recommend one of the "DX2" Intel processors.
> >>>
> >>
> >> Okay, it does not improve performance, but it sure confuses the heck
> >> out of man-in-the-middle attacks!
> >>
> >>> As for Fourier transforms, that's just security through obscurity
> >>> (though it's pretty good obscurity). "Fast" Fourier transforms also
> >>> work best with data sizes that are powers-of-two in length and so
> >>> your throughput can experience odd pulsing behavior while your
> >>> buffers fill waiting to be transformed. Unless you have one of the
> >>> aforementioned "DX2"
> >>> style processors coupled with a V.22bis-capable device, you are
> >>> probably not going to be able to keep up with all the traffic your
> >>> Gopher server is likely to generate.
> >>>
> >>
> >> Well, I was focusing on performance here, not security.  And if I
> use
> >> my Amiga 1000, I can invoke hardware security because of the
> >> non-standard RS-232 port (just try and connect a regular RS-232
> cable
> >> to that system, and see how quickly the modem shorts out!), and
> >> because the instruction set uses Motorola 68000 instructions, not
> DX2
> >> Intel instructions.
> >>
> > That's not really security either.  Any common optical RS-232
> isolator
> > (like the one shown here :
> > http://www.commfront.com/rs232-rs485-rs422-serial-converters/RS232-
> Iso
> > lator-7-wire.htm)
> >
> >  will easily overcome that issue. I started using these everywhere
> > after I blew up the line drivers of my Soroc terminal a couple of
> > times by forgetting to switch it off before I unplugged it. I don't
> > know what the optical nature of the isolator does to the security by
> > obscurity aspect though, I suspect that it may make a
> > man-in-the-middle attack easier (as long as the man is not really in
> > the middle physically of course). For SSL however, due to the higher
> > bitrate, I would recommend a conversion to RS485 (with this e.g. :
> > http://www.szatc.com/english/showpro.asp?articleid=169)
> > (beware of embedded Trojans though).
>
> USB is just a fad. Stick with SCSI unless you want to have a whole lot
> of useless hardware in 18 months.
>
> > Also, for your Amiga, you may want to consider swapping the 68000
> > processor by a 68010. It is pin-compatible and provides a significant
> > speed boost, maybe enough to allow you to switch from a 48-bit
> > encryption scheme to a 128-bit scheme.
>
> Don't forget to install the Microsoft High Encryption pack, or your
> browsers won't be able to decrypt that stuff. I think you have to
> register with the DOD in order to deploy ciphers of that strength.
>
> - -chris

I will just convert everything into machine code.  The Motorola processors
and AmigaOS use Big-Endian, and Intel processes use Little-Endian, so that will just
confuse anyone who uses Intel hardware and most operating systems, particularly if
I just overlay the results with the Beatles' "Helter Skelter" played backwards and sampled
at 11.025KHz.

Jeffrey Harris

This e-mail and any attachments are intended only for the use of the addressee(s) named herein
and may contain proprietary information. If you are not the intended recipient of this e-mail
or believe that you received this email in error, please take immediate action to notify the
sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments
from your computer; and do not disseminate, distribute, use, or copy this message and any
attachments.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message