Marc Slemko wrote:
>
> On Sat, 31 Oct 1998, Ben Laurie wrote:
>
> > Ah, I also forgot to mention that an attacker with the ability to talk
> > to gcache can completely screw you with just legitimate messages - by
> > poisoning your cache. They can presumably also get access to session
> > keys. So, if anyone can talk to gcache apart from Apache-SSL, you've had
> > it anyway.
>
> Then running gacache in this way is fundamentally broken and should
> assert() right after it opens the socket and figures out that it worked so
> it is completely insecure.
I'm not sure gcache is in a position to detect this situation. If you
think it can, I'd like to know how.
> You think anyone runs a proxy on the same machine as gcache? Well, oops,
> sorry, can't do that since it could connect to gcache and make it exit by
> sending an invalid request.
Pay attention.
a) you should prevent the proxy from doing it (allowing a proxy to make
random requests to random servers is a well known hole).
b) you should be using Unix domain sockets.
> While you may think that the only way to run a SSL server is where no one
> can login, no users can run any programs on it, etc. in the real world
> that isn't always possible.
I have to say that my main interest is in secure servers. If people want
to run toy SSL servers, then I'll support them as far as I can, but not
if it means compromising the safety of the real ones. That said, I
haven't said that no one can log in, no users can run programs, etc.
You've just invented that requirement. What I have said is that my
threat model says that a local attacker is something that should not be
permitted.
Bottom line: if gcache is a problem in your environment, disable it.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
