-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 4/10/13 12:17 PM, Harris, Jeffrey E. wrote: > > >> -----Original Message----- From: Christopher Schultz >> [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 10, >> 2013 12:09 PM To: Tomcat Users List Subject: Re: Better SSL >> connector setup >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> André, >> >> On 4/9/13 11:54 AM, André Warnier wrote: >>> Harris, Jeffrey E. wrote: >>>> Chris, >>>> >>>>> -----Original Message----- From: Christopher Schultz >>>>> [mailto:ch...@christopherschultz.net] Sent: Tuesday, April >>>>> 09, 2013 10:01 AM To: Tomcat Users List Subject: Re: Better >>>>> SSL connector setup >>>>> >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>>> >>>>> Jeffrey, >>>>> >>>>> On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote: >>>>>> >>>>>>> -----Original Message----- From: André Warnier >>>>>>> [mailto:aw@ice- >>>>> sa.com] >>>>>>> Sent: Tuesday, April 09, 2013 6:04 AM To: Tomcat Users >>>>>>> List Subject: Re: Better SSL connector setup >>>>>>> >>>>>>> Christopher Schultz wrote: >>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>>>>>> >>>>>> You can improve the performance of the existing RS-232 >>>>>> modem pool by doing some ROT-13 and Fourier transforms >>>>>> prior to data >> encoding. >>>>>> However, this does require the equivalent capability on >>>>>> the receiving side. >>>>> - -1 >>>>> >>>>> Using ROT-13 can certainly improve the security of your >>>>> data in-transit and *is* a NIST recommendation, but it >>>>> unfortunately >> does >>>>> not improve performance as it introduces an additional >>>>> operation in the pipeline. As usual, real security is a >>>>> trade-off between convenience (here, speed) and actual >>>>> security (the superior cipher algorithm ROT-13). I believe >>>>> recent versions of OpenSSL (0.9.1c?) include the new >>>>> ROT13-XOR- MD2 cipher, but since it is optimized >> for >>>>> 8-bit processors you need to make sure to have a modern CPU >>>>> -- I recommend one of the "DX2" Intel processors. >>>>> >>>> >>>> Okay, it does not improve performance, but it sure confuses >>>> the heck out of man-in-the-middle attacks! >>>> >>>>> As for Fourier transforms, that's just security through >>>>> obscurity (though it's pretty good obscurity). "Fast" >>>>> Fourier transforms also work best with data sizes that are >>>>> powers-of-two in length and so your throughput can >>>>> experience odd pulsing behavior while your buffers fill >>>>> waiting to be transformed. Unless you have one of the >>>>> aforementioned "DX2" style processors coupled with a >>>>> V.22bis-capable device, you are probably not going to be >>>>> able to keep up with all the traffic your Gopher server is >>>>> likely to generate. >>>>> >>>> >>>> Well, I was focusing on performance here, not security. And >>>> if I >> use >>>> my Amiga 1000, I can invoke hardware security because of the >>>> non-standard RS-232 port (just try and connect a regular >>>> RS-232 >> cable >>>> to that system, and see how quickly the modem shorts out!), >>>> and because the instruction set uses Motorola 68000 >>>> instructions, not >> DX2 >>>> Intel instructions. >>>> >>> That's not really security either. Any common optical RS-232 >> isolator >>> (like the one shown here : >>> http://www.commfront.com/rs232-rs485-rs422-serial-converters/RS232- >> >>> Iso >>> lator-7-wire.htm) >>> >>> will easily overcome that issue. I started using these >>> everywhere after I blew up the line drivers of my Soroc >>> terminal a couple of times by forgetting to switch it off >>> before I unplugged it. I don't know what the optical nature of >>> the isolator does to the security by obscurity aspect though, I >>> suspect that it may make a man-in-the-middle attack easier (as >>> long as the man is not really in the middle physically of >>> course). For SSL however, due to the higher bitrate, I would >>> recommend a conversion to RS485 (with this e.g. : >>> http://www.szatc.com/english/showpro.asp?articleid=169) (beware >>> of embedded Trojans though). >> >> USB is just a fad. Stick with SCSI unless you want to have a >> whole lot of useless hardware in 18 months. >> >>> Also, for your Amiga, you may want to consider swapping the >>> 68000 processor by a 68010. It is pin-compatible and provides a >>> significant speed boost, maybe enough to allow you to switch >>> from a 48-bit encryption scheme to a 128-bit scheme. >> >> Don't forget to install the Microsoft High Encryption pack, or >> your browsers won't be able to decrypt that stuff. I think you >> have to register with the DOD in order to deploy ciphers of that >> strength. >> >> - -chris > > I will just convert everything into machine code. The Motorola > processors and AmigaOS use Big-Endian, and Intel processes use > Little-Endian, so that will just confuse anyone who uses Intel > hardware and most operating systems, particularly if I just overlay > the results with the Beatles' "Helter Skelter" played backwards and > sampled at 11.025KHz. Get yourself a DEC Alpha and write an algorithm that switches endian-ness halfway through the process. Good luck debugging that. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRZdCoAAoJEBzwKT+lPKRYZBUQAMOkfJUZb7DieVp5sZTY1EVe /Ty7uI0aZpPx1ExjDSXo393Qz3sMFtwzCIUr1vDLLvPdX7gDmZSHHVXZZ8R8JAwi VPLqr50PR3T0fghNBWqjCOVtxweXGUWclMTFqCVd7UIvdOQnq4aFRVtWdrdDxwJz zNAl4Vz0BhNcu1+tdG9OiTC3YBsgWP/BCQPNigbVO7IGJyp6hMUomM/350q0TGg1 5JhNdc0Cgzed3mhA0qAqucePeouEPrs+pH883xCjOkQsXncuDBMf1HBszHTf8Iy4 +ACU3sAjWOjkYBMavNgK1yfH3W7vSLuM9FGxrbhwNo+ttLkFp8sxYiY7oA2pZ2iY Gnq8nmrU3Lz7AmMKR3jEe/HXL62jpBzJV8dIYjI8uGdOzg654BHU/ZnbCrV3UFrD vIS/tBasODOsvwgtVI9KE8i24kUw+kAwMI/h7rAXiWchlU2+mc4N5zn5W6IiQM4X wbD4NUGnqoOcto/8qt4F8Qe1WrJLWlvrwDssFQkEnIg0SryYdM5/balHDhW0mBkM vjC0lNQk7363uvxTJlVXpdXk5f/9WlACSUYhssRRN1/GZscX8suemFOYfas6Nveu fBAh36Sud6jzoqSaZHQ32zL5ekw7qZluhvTXmsV9ACspXg/OW3T2vLO+LIaTwTCg JcVTE8XJVlrgtavTLEHg =sVOL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
