On Sat, 31 Oct 1998, Ben Laurie wrote:
> Ah, I also forgot to mention that an attacker with the ability to talk
> to gcache can completely screw you with just legitimate messages - by
> poisoning your cache. They can presumably also get access to session
> keys. So, if anyone can talk to gcache apart from Apache-SSL, you've had
> it anyway.
Then running gacache in this way is fundamentally broken and should
assert() right after it opens the socket and figures out that it worked so
it is completely insecure.
You think anyone runs a proxy on the same machine as gcache? Well, oops,
sorry, can't do that since it could connect to gcache and make it exit by
sending an invalid request.
While you may think that the only way to run a SSL server is where no one
can login, no users can run any programs on it, etc. in the real world
that isn't always possible.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
