[brlug-general] Where do you put your SSL files?

[Tim Fournet]

-ray wrote:
> Very true.  So what do you do after an attack?  Hope the attacker wasn't 
> very savvy?  Most of them aren't, but still...  Guess it depends on what 
> you're trying to protect.  As an exercise, I downloaded the pcat utility 
> (http://www.porcupine.org/forensics/tct.html) and dumped the memory from 
> one of my Apache processes.  I saw the strings 'PRIVATE KEY' and 
> '---BEGIN---' '---END---' in a few places but couldn't find the actual 
> key.   Armed with a hex editor, the Apache source code, and perhaps a 
> debugger, I think a semi-competent attacker could get the key pretty 
> easily.
>   

One case where my usb-mounted drive or external mount suggestion would 
help would be if the physical web server were stolen. If the drive is 
gone, there's no key to steal, after the server's lost power.

> I'll also argue that even if I gave you the private key in clear text, 
> it's still a non-trivial task to capture the entire SSL session, replay 
> and decrypt the data you want.  Still very possible, but non-trivial.
>
> As a good security practitioner, it's always better to assume the worst 
> than hope for the best. :)
>   
But do you also just give up on any attempt at security just because 
there's a case where it may fail? You're right that as long as the 
machine has knowledge of the key, it can somehow get stolen, but if you 
minimize the avenues that it can get stolen by, you have at least 
minimized the risk by some degree.

After the attack, what do you do? Revoke the certificate at the CA and 
get a new one.