Slashdot Mirror

Not as hard to implement as some of the pipe dreams out there. Of course, it does require a degree of tech savvy on the part of users - and more importantly, enforcing it's use, to avoid laziness bypassing.

Then your challenge becomes certificate transport - you'll need a way to carry around your cert, or somehow get hold of it when you need it, which is easier said than done. The real advantage of passwords is their portability. Biometrics have a similar advantage, but as already noted - are a bit harder to revoke/change.

    You're very correct on that.

    For a while, I was doing that with a few things, including Apache and the Linux kernel. There were pieces I needed that didn't progress, so I handled my own backporting of various things. That was a long time ago, and those problems were resolved in more current versions, so it hasn't been necessary for years.

    But, if you're using say mod_ssl to handle your SSL on Apache, and you're still in the 1.3.x tree, you'd now be scored down. Apache just moved the 1.3.x tree to 1.3.42 (which was mentioned on here recently), but mod_ssl only has their patch for 1.3.41. I haven't checked to see if they're compatible yet, but for the sake of argument, lets say that it isn't. If I had these in production, and I didn't upgrade to 1.3.42, I'd now score badly, even if I applied the security patch which is what the difference between 1.3.41 and 1.3.42 is. All I'd have to do is ask it to say it's Apache 1.3.42, or even say something stupid like IIS 7.5, if I really wanted to throw off any attackers. Sometimes it's better to announce the wrong thing, just to distract potential attackers. By announcing IIS, they'd try their suite of Microsoft attacks, rather than Linux attacks.

    Oh, and god forbid you were to do a little honeypot action on your production machines. If you were to put a daemon listening to port 23 (Telnet), to automatically block potential intruders (Connected to port 23? Set an iptables rule immediately), they'd see that port 23 was open, and pitch a fit. That's actually a good security idea, although I don't see it used much in the real world.

In fact, even mod_ssl has information on how to do so on the site:

http://www.modssl.org/docs/2.6/ssl_faq.html#ToC27

Your comment seems to imply that this has changed, but I can't find any supporting documentation.

Correct me if I'm wrong, but don't both of those use OpenSSL?

Yes, thank you Captain Obvious.

An Apache server with mod_proxy, HTTP basic authentication and mod_ssl should do the trick.

Also in that directory:

-rw-r--r-- 1 modssl modssl 753416 Oct 4 13:53 mod_ssl-2.8.11-1.3.27.tar.gz
-rw-r--r-- 1 modssl modssl 286 Oct 4 13:53 mod_ssl-2.8.11-1.3.27.tar.gz.asc

Also in that directory:

-rw-r--r-- 1 modssl modssl 753416 Oct 4 13:53 mod_ssl-2.8.11-1.3.27.tar.gz
-rw-r--r-- 1 modssl modssl 286 Oct 4 13:53 mod_ssl-2.8.11-1.3.27.tar.gz.asc

here is a copy of mod_ssl that works on 1.3.27 (remember, use --force), and for Apache-SSL I posted a patch to the Apache-SSL mailing list.

The parent post is exactly how we do it in our organization (a non-profit with not a lot of money for certs, but lots of things we want to run over SSL). Once someone trusts your root cert you're good to go.

I mostly figured out how to set it up from the Apache mod-ssl module FAQ at http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29. BTW, mod-ssl comes with a nice little signing script that is quite handy.

Once I got the hang of it with Apache sites I used the technique in the FAQ almost verbatim to produce certs for our IMAP and SMTP servers.

You might also check out http://www.openca.org/. I'm not using it, but if I was starting over I would be looking into it.

It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites.

At http://www.modssl.org/ is the new mod_ssl patch for Apache 1.3.26:
19-Jun-2002: Released 2.8.9-1.3.26: Apache 1.3.26 and bugfixes.

It's at modssl.org. Thanks, Ralph!

These days, for casual passwords like /. logins, HTTP basic authentication is still usually good enough. For passwords that need real security, use mod_ssl instead, which is easily added to Apache 1.3 and comes with Apache 2.0 by default, and do basic auth over SSL so the whole HTTP stream is encrypted including the password. HTTP digest authentication's security is sort of halfway between HTTP basic auth and HTTPS basic auth. As a halfway measure, it's not really that useful any more.

Let's just say that Ralf is the commited guy for standard packages.

http://www.openssl.org/
http://www.modssl.org/

To say a few.
He's the guy that wrote mod_rewrite back in the old days. Tough guy.

Got sick of getting jammed by inconsistent floppies, so I installed mod_dav and mod_ssl into apache and "mount" the sucker using web folders for windows. If yah tried this, you could buy a box or two or four (HW/RAID 5, 4 CPU's, FC/AL, 2+ GB RAM, TEST IT FIRST!), (charge each student like 2-3$/meg of remote storage), that should be fully capable of handling the load (it would be prudent to check the scaling prior to purchase, but it shouldn't be too bad to verify the scalablility using a bit of perl to emulate a population of client file operations.)
You don't want students plugging their own drives into computers, or media into drives. They will break something.
mod_dav isn't very quick for file transfers (256 kB/sec), (dunno why, the cable modem I'm on isn't rev limited upstream yet..., maybe some funky locking semantics in mod_dav, haven't looked at it yet.)I also have slow as crap ide drives on my box.
The nice thing about this solution is that it is usable thru any firewalls which permit tcp outbound 80/443.

4 weeks ago Alan Cox spend a weekend i Denmark and Sweden giving talks in Stockholm and Lund to the local LUG he speeks very well!

Absolutely. He's brilliant. In fact, it seems like all the top people in Linux are brilliant speakers. Which came first, the brilliant speaking or the high position in the meritocracy?

This week at ApacheCon Europe I listened to Ralph Engelschall (mod_ssl, mod_rewrite, etc) speak. He was speaking in English, which (seeing he's Swiss) must be his third or fourth language. He was talking about SSL and security, which is a deep technical topic. He was lively, witty, inspiring, fun. He obviously enjoyed himself. He obviously knew his topic inside out. And he was able to communicate both his enjoyment and his knowledge.

I think what it comes down to is the meritocracy. Ralph Engelschall, like Alan Cox, got to his position in the meritocracy because he produces exceedingly could code ('damned cool voodoo'). You need to be pretty brilliant to produce code at that level, and many (though not all) pretty brilliant people are good speakers.

• 64k/256k ADSL with static IP
• Redhat 6.2 with ipchains for basic security only exposing SMTP and HTTP. I set it up based on the linux firewall HOWTO
• Sendmail for MTA. Standard RH setup.
• UW IMAP, Apache, mod_ssl and IMP to provide secure remote access.

I have setup SSL for apache on both Linux and WinNT. I found that it was much easier to setup mod_ssl than apache-ssl. Actually if I remember correctly I think I tried using apache-ssl on Linux and WinNT, but I couldn't get it working right. So then I tried mod_ssl and it worked right away the first time...

Mod_SSL is really easy...The instructions I used made it really easy:
Linux: Installation Guide
WinNT: Installation Guide

FoonDog

I have setup SSL for apache on both Linux and WinNT. I found that it was much easier to setup mod_ssl than apache-ssl. Actually if I remember correctly I think I tried using apache-ssl on Linux and WinNT, but I couldn't get it working right. So then I tried mod_ssl and it worked right away the first time...

Mod_SSL is really easy...The instructions I used made it really easy:
Linux: Installation Guide
WinNT: Installation Guide

FoonDog

I recently installed Apache/mod_ssl at work and tried to use it with our existing Verisign certificate. Verisign has some weird double certificate system that caused connection errors with some builds of IE5 under mod_ssl. The same certificates worked under Apache/Stronghold. The mod_ssl FAQ has lots of information on connection problems with IE, but I tried every single suggestion and couldn't get it to work. I eventually switched to a Thawte certificate. That worked like a charm.

So - does anyone know if the problems I encountered were mod_ssl/verisign specific, or does Apache-SSL have the same issues?

Cheers.

http://www.modssl.org/docs/2.6/ ssl _faq.html#ToC3

The reason there aren't a lot more SSL servers running now are 1) US crypto export regulations have made it a pain to ship the software around; and 2) SSL servers in the US generally need to license the RSA patent to use RSA cryptography.

The export stuff has just been relaxed a lot, and the RSA patent will expire on September 20, just a few weeks from now. I expect a lot of new SSL servers to go up after that. Sites that store any personal info (not just financial stuff like credit card numbers) should use SSL a lot more than they do. There's easy-to-install free server software available, certificates are a lot cheaper than they used to be, and computers now are fast enough that the crypto computations aren't a real bottleneck any more.

I'll probably announce SSL availability on my own personal site on September 21, the day after the patent expires ;-).

As far as I understand SSL, you must use virtual interfaces to host SSL web servers. How does the policy change affect these servers?

Yes, but every virtual interface has a different IP address. And ARIN sells IP's not NIC's ;-)
The reason is explained in many articles above, but the vhost part in the mod_ssl FAQ is also very good.

Also, TLS is supposed to fix that. Which browsers implement TLS correctly?

It's not whether TLS or not, it's whether the browser can make use of the upgrade mechanism in TLS.
And equally important is the question which webservers implement this? Last time I checked mod_ssl did not.

As far as I understand SSL, you must use virtual interfaces to host SSL web servers. How does the policy change affect these servers?

Yes, but every virtual interface has a different IP address. And ARIN sells IP's not NIC's ;-)
The reason is explained in many articles above, but the vhost part in the mod_ssl FAQ is also very good.

Also, TLS is supposed to fix that. Which browsers implement TLS correctly?

It's not whether TLS or not, it's whether the browser can make use of the upgrade mechanism in TLS.
And equally important is the question which webservers implement this? Last time I checked mod_ssl did not.

There's this one and this one.

IE may well be good at getting dodgy html to render but it seems they aren't too good at getting what are (presumably, I've never had need to look at them) well defined standards/protocols to work properly. From a server admin point of view the fact that IE chokes on such things is a bit of a pain in the arse. Of course, the end result isn't Microsoft looking bad as the general public will just assume that the server is borked......

"Recently, VeriSign, the Apache Server Project, and SSLeay have collaborated to allow anyone running an Apache server to secure their site with the strongest encryption available"

You can find its website here: http://www.covalent.net/

Or if you live in a free country, you can use mod_ssl at http://www.modssl.org

Also, I wouldn't really call it a close race between Postgres and MySQL features. MySQL doesn't plan to do SQL Transactions, for instance, while Postgres does. MySQL, on the other hand, has much friendlier SQL extensions, particularly for date formatting and such. Both have commercial support options.

I have built a few E-Commerce sites using Linux with the following

Minivend shopping cart and SSL Webserver I use Mysql with DBI you can use an ODBC connector from windoze to the Mysql Server. You will find a converter filter for acces at www.mysql.com that will move your mdb file into the SQL server. Using it this way still allows Windoze apps to access the data and run reports as if it was still an mdb file.

If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional).

IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.

As far as I can tell, this doesn't directly compromise control of the domain name, just the cheesy webmail account. Of course, as others have stated, that may be an effective tool to help with social engineering..

Anyway, I prefer to roll my own webmail service using Imp along with mod_ssl which doesn't require sending cleartext passwords over the net.

Uh? You are describing SSL/TLS. Go get mod_ssl for Apache and Fortify to enable 128-bit ciphers in all Netscape browsers.