full-disk subversion standards released
Thor Lancelot Simon
tls at rek.tjls.com
Fri Mar 6 14:01:26 EST 2009
On Sat, Mar 07, 2009 at 07:36:25AM +1300, Peter Gutmann wrote:
>
> In any case though, how big a deal is private-key theft from web servers?
> What examples of real-world attacks are there where an attacker stole a
> private key file from a web server, brute-forced the password for it, and then
> did... well, what with it? I don't mean what you could in theory do with it,
> I mean which currently-being-exploited attack vector is this helping with?
Almost no web servers run with passwords on their private key files.
Believe me. I build server load balancers for a living and I see a _lot_
of customer web servers -- this is how it is.
> This does seem like rather a halfway point to be in though, if you're not
> worried about private-key theft from the server then do it in software, and if
> you are then do the whole thing in hardware (there's quite a bit of this
> around for SSL offload)
No, no there's not. In fact, I solicited information here about crypto
accellerators with onboard persistent key memory ("secure key storage")
about two years ago and got basically no responses except pointers to
the same old, discontinued or obsolete products I was trying to replace.
--
Thor Lancelot Simon tls at rek.tjls.com
"Even experienced UNIX users occasionally enter rm *.* at the UNIX
prompt only to realize too late that they have removed the wrong
segment of the directory structure." - Microsoft WSS whitepaper
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list