Hah. I'm surprised the term "security theater" wasn't coined earlier!
On Wed, Oct 10, 2012 at 9:29 PM, Warren Kumari <war...@kumari.net> wrote: > > On Oct 10, 2012, at 3:56 PM, Patrick Mylund Nielsen > <cryptogra...@patrickmylund.com> wrote: > >> One thing that I've sadly seen more times than I can shake a stick at >> is people leaving in aNULL/eNULL, or not including !aNULL:!eNULL in >> their cipher suite list. > > So, a number of years ago (~1999) I worked for a registrar. > We had a number of load balanced webservers, some doing http and others doing > SSL (for billing and such). > One of our brighter sys-admin folk (lets call him Fred) notices one day that > the https servers always run hotter and can only handle around 1/2 the > connections as the plain http ones. This offends / puzzles him and so he > decides to make this the big project that will get him promoted... > > I'm not really paying much attention, but know that he's off muting with > Apache configs on the SSL boxen (mainly because they keep falling out of the > load-balancer pool). After a week or two of dinking around he comes and shows > me some pretty graphs of how much better the load now is on the https > machines -- I nod, give him a pat on the head and go back to reading > slashdot…. > > A few weeks later I'm running Ethereal / tcpdump to troubleshoot some issue > or other, and suddenly see some payload that looks suspiciouly like a credit > card number and name in plain-text… > > Guess what his optimization was… Yup, he tried every combination of things in > SSLCipherSuite and simply chose the one with the lest CPU... > > The fun bit was that browsers (I think Netscape / IE at the time) would > happily give you the lock icon… > > W > >> >> On Wed, Oct 10, 2012 at 6:34 PM, >> <travis+ml-rbcryptogra...@subspacefield.org> wrote: >>> I want to find common improper usages of OpenSSL library for SSL/TLS. >>> >>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, >>> probably, but would prefer information to the first point rather than >>> its complement. >>> -- >>> http://www.subspacefield.org/~travis/ >>> Any sufficiently advanced magic is indistinguishable from reality. >>> >>> _______________________________________________ >>> cryptography mailing list >>> cryptography@randombit.net >>> http://lists.randombit.net/mailman/listinfo/cryptography >>> >> _______________________________________________ >> cryptography mailing list >> cryptography@randombit.net >> http://lists.randombit.net/mailman/listinfo/cryptography >> > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography