[cryptography] anyone got a "how not to use OpenSSL" list?

Patrick Mylund Nielsen cryptography at patrickmylund.com
Wed Oct 10 16:38:18 EDT 2012


Hah. I'm surprised the term "security theater" wasn't coined earlier!

On Wed, Oct 10, 2012 at 9:29 PM, Warren Kumari <warren at kumari.net> wrote:
>
> On Oct 10, 2012, at 3:56 PM, Patrick Mylund Nielsen <cryptography at patrickmylund.com> wrote:
>
>> One thing that I've sadly seen more times than I can shake a stick at
>> is people leaving in aNULL/eNULL, or not including !aNULL:!eNULL in
>> their cipher suite list.
>
> So, a number of years ago (~1999) I worked for a registrar.
> We had a number of load balanced webservers, some doing http and others doing SSL (for billing and such).
> One of our brighter sys-admin folk (lets call him Fred) notices one day that the https servers always run hotter and can only handle around 1/2 the connections as the plain http ones. This offends / puzzles him and so he decides to make this the big project that will get him promoted...
>
> I'm not really paying much attention, but know that he's off muting with Apache configs on the  SSL boxen (mainly because they keep falling out of the load-balancer pool). After a week or two of dinking around he comes and shows me some pretty graphs of how much better the load now is on the https machines -- I nod, give him a pat on the head and go back to reading slashdot….
>
> A few weeks later I'm running Ethereal / tcpdump to troubleshoot some issue or other, and suddenly see some payload that looks suspiciouly like a credit card number and name in plain-text…
>
> Guess what his optimization was… Yup, he tried every combination of things in SSLCipherSuite and simply chose the one with the lest CPU...
>
> The fun bit was that browsers (I think Netscape / IE at the time) would happily give you the lock icon…
>
> W
>
>>
>> On Wed, Oct 10, 2012 at 6:34 PM,
>> <travis+ml-rbcryptography at subspacefield.org> wrote:
>>> I want to find common improper usages of OpenSSL library for SSL/TLS.
>>>
>>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
>>> probably, but would prefer information to the first point rather than
>>> its complement.
>>> --
>>> http://www.subspacefield.org/~travis/
>>> Any sufficiently advanced magic is indistinguishable from reality.
>>>
>>> _______________________________________________
>>> cryptography mailing list
>>> cryptography at randombit.net
>>> http://lists.randombit.net/mailman/listinfo/cryptography
>>>
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>>
>



More information about the cryptography mailing list