Re: [gentoo-user] HTTPS/CA
Iain Buchanan wrote: On Mon, 2005-06-20 at 16:54 -0700, David Busby wrote: Gurus, In this hypothetical situation how would someone break in or view the data transmitted? [snip] Since traffic is limited to IPs that I trust and everyone must have a certificate signed by my CA how can jerks break into my box? Seems to be to be pretty solid, so I must be missing something. 1. Change my ip to one that you trust. The hacker still would not be able to present a valid certificate, though, right? This depends on what the OP meant when he said If the client is not signed I generate and securely transmit a cert to the client and then open the network to their IP. Do you mean that you do this in an automated way (blech), or is it done manually in some offline manner (better)? 2. Break into a box you trust which may not be so locked down as yours is... This is the biggest hole that I see. JZ -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] HTTPS/CA
John Ziniti wrote: Iain Buchanan wrote: On Mon, 2005-06-20 at 16:54 -0700, David Busby wrote: The hacker still would not be able to present a valid certificate, though, right? This depends on what the OP meant when he said If the client is not signed I generate and securely transmit a cert to the client and then open the network to their IP. Do you mean that you do this in an automated way (blech), or is it done manually in some offline manner (better)? Yes if the client isn't signed by my one and only one trusted CA (which is me) I will give them the cert in a manual/offline way, even if it is inconvienient. 2. Break into a box you trust which may not be so locked down as yours is... This is the biggest hole that I see. Yea, I thought so too. JZ Excellent feedback, thank you. /djb -- gentoo-user@gentoo.org mailing list
[gentoo-user] HTTPS/CA
Gurus, In this hypothetical situation how would someone break in or view the data transmitted? Hardend Gentoo/Linux/Apache system with only port 443 open in a secure facility (please assume that hardend means everything you, dear reader, would do to secure a box). Now this Apache server is configured only to accept connections from clients who present a certificate signed by the CA who signed the servers cert. If the client is not signed I generate and securely transmit a cert to the client and then open the network to their IP. Since traffic is limited to IPs that I trust and everyone must have a certificate signed by my CA how can jerks break into my box? Seems to be to be pretty solid, so I must be missing something. /djb -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] HTTPS/CA
On Mon, 2005-06-20 at 16:54 -0700, David Busby wrote: Gurus, In this hypothetical situation how would someone break in or view the data transmitted? [snip] Since traffic is limited to IPs that I trust and everyone must have a certificate signed by my CA how can jerks break into my box? Seems to be to be pretty solid, so I must be missing something. 1. Change my ip to one that you trust. 2. Break into a box you trust which may not be so locked down as yours is... maybe :) -- Iain Buchanan [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list