[brlug-general] Where do you put your SSL files?
-ray
ray at ops.selu.edu
Wed Nov 28 10:04:04 CST 2007
On Wed, 28 Nov 2007, Tim Fournet wrote:
> If you're assuming that the machine is compromised by a savvy attacker,
> then yeah, he would read the key out of RAM. But I'd argue that it's a
> couple of degrees harder to get a memory dump and know what to do with
> it than finding and stealing a file that says
> ultra-secure-ssl-key-do-not-steal-please.crt.
Very true. So what do you do after an attack? Hope the attacker wasn't
very savvy? Most of them aren't, but still... Guess it depends on what
you're trying to protect. As an exercise, I downloaded the pcat utility
(http://www.porcupine.org/forensics/tct.html) and dumped the memory from
one of my Apache processes. I saw the strings 'PRIVATE KEY' and
'---BEGIN---' '---END---' in a few places but couldn't find the actual
key. Armed with a hex editor, the Apache source code, and perhaps a
debugger, I think a semi-competent attacker could get the key pretty
easily.
I'll also argue that even if I gave you the private key in clear text,
it's still a non-trivial task to capture the entire SSL session, replay
and decrypt the data you want. Still very possible, but non-trivial.
As a good security practitioner, it's always better to assume the worst
than hope for the best. :)
ray
More information about the General
mailing list