Harris, Jeffrey E. wrote:
Chris,
-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, April 09, 2013 10:01 AM
To: Tomcat Users List
Subject: Re: Better SSL connector setup
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,
On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
-----Original Message----- From: André Warnier [mailto:aw@ice-
sa.com]
Sent: Tuesday, April 09, 2013 6:04 AM To:
Tomcat Users List Subject: Re: Better SSL connector setup
Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
You can improve the performance of the existing RS-232 modem pool by
doing some ROT-13 and Fourier transforms prior to data encoding.
However, this does require the equivalent capability on the receiving
side.
- -1
Using ROT-13 can certainly improve the security of your data in-transit
and *is* a NIST recommendation, but it unfortunately does not improve
performance as it introduces an additional operation in the pipeline.
As usual, real security is a trade-off between convenience (here,
speed) and actual security (the superior cipher algorithm ROT-13). I
believe recent versions of OpenSSL (0.9.1c?) include the new ROT13-XOR-
MD2 cipher, but since it is optimized for 8-bit processors you need to
make sure to have a modern CPU -- I recommend one of the "DX2" Intel
processors.
Okay, it does not improve performance, but it sure confuses the heck out
of man-in-the-middle attacks!
As for Fourier transforms, that's just security through obscurity
(though it's pretty good obscurity). "Fast" Fourier transforms also
work best with data sizes that are powers-of-two in length and so your
throughput can experience odd pulsing behavior while your buffers fill
waiting to be transformed. Unless you have one of the aforementioned
"DX2" style processors coupled with a V.22bis-capable device, you are
probably not going to be able to keep up with all the traffic your
Gopher server is likely to generate.
Well, I was focusing on performance here, not security. And if I use my Amiga
1000, I can invoke hardware security because of the non-standard RS-232 port
(just try and connect a regular RS-232 cable to that system, and see how quickly
the modem shorts out!), and because the instruction set uses Motorola 68000
instructions, not DX2 Intel instructions.
That's not really security either. Any common optical RS-232 isolator (like the one shown
here : http://www.commfront.com/rs232-rs485-rs422-serial-converters/RS232-Isolator-7-wire.htm)
will easily overcome that issue. I started using these everywhere after I blew up the line
drivers of my Soroc terminal a couple of times by forgetting to switch it off before I
unplugged it. I don't know what the optical nature of the isolator does to the security by
obscurity aspect though, I suspect that it may make a man-in-the-middle attack easier (as
long as the man is not really in the middle physically of course).
For SSL however, due to the higher bitrate, I would recommend a conversion to RS485 (with
this e.g. : http://www.szatc.com/english/showpro.asp?articleid=169)
(beware of embedded Trojans though).
Also, for your Amiga, you may want to consider swapping the 68000 processor by a 68010. It
is pin-compatible and provides a significant speed boost, maybe enough to allow you to
switch from a 48-bit encryption scheme to a 128-bit scheme.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
