On Sat, Mar 07, 2009 at 07:36:25AM +1300, Peter Gutmann wrote:
> In any case though, how big a deal is private-key theft from web servers?
> What examples of real-world attacks are there where an attacker stole a
> private key file from a web server, brute-forced the password for it, and then
> did... well, what with it?  I don't mean what you could in theory do with it,
> I mean which currently-being-exploited attack vector is this helping with?

Almost no web servers run with passwords on their private key files.
Believe me.  I build server load balancers for a living and I see a _lot_
of customer web servers -- this is how it is.

> This does seem like rather a halfway point to be in though, if you're not
> worried about private-key theft from the server then do it in software, and if
> you are then do the whole thing in hardware (there's quite a bit of this
> around for SSL offload)

No, no there's not.  In fact, I solicited information here about crypto
accellerators with onboard persistent key memory ("secure key storage")
about two years ago and got basically no responses except pointers to
the same old, discontinued or obsolete products I was trying to replace.

Thor Lancelot Simon                                        t...@rek.tjls.com
    "Even experienced UNIX users occasionally enter rm *.* at the UNIX
     prompt only to realize too late that they have removed the wrong
     segment of the directory structure." - Microsoft WSS whitepaper

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to