The sys admin's daily grind: TLS Interposer

Rescuer at Hand

Article from Issue 179/2015
Author(s):

Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.

The Poodle attack (Padding Oracle On Downgraded Legacy Encryption) relied on TLS implementations that failed to respond to requests from clients with new TLS versions. They then assumed that the server did not speak TLS at all and switched to the totally obsolete and vulnerable SSLv3. Attackers simply let TLS connections crash into the wall and cheered when the client dug out SSLv3.

Heartbleed was also an implementation error. It gave attackers the ability to read 64KB of the server's RAM – multiple times in succession – thus allowing certificate keys to fall into the wrong hands. Bruce Schneier said at the time that, on a scale of 1 to 10, this was a category 11 disaster [1].

Administrators can avoid all of this pain by keeping the TLS implementations on their servers up to date. But, what if you are forced to run applications that do not even support the latest TLS versions? True to the adage of "Never change a running system," many people stubbornly stick with Apache 2.2, or other services that are of value only to archaeologists.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: SSLScan

    If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.

    more »
  • Charly's Column – Zint

    Doing a hardware inventory in a data center is anything but a piece of cake. In order to quickly assign devices to the appropriate database entry, Charly provides each newly acquired system with a QR code sticker with the help of Zint.

    more »
  • The sys admin's daily grind: urlwatch

    Experienced system administrators attach great importance to always being up to date when it comes to information technology. Urlwatch is a command-line tool that presents the latest news from websites that do not offer RSS feeds by email.

    more »
  • The sys admin's daily grind: grepcidr

    Often it is the very simple tools that, when used appropriately, lead to the greatest success. This time, sys admin columnist Charly employs an IP address filter to count the devices in his home and trip up spammers to boot.

    more »
  • Charly’s Column: Linux Fair

    According to Goethe, the best way to gain an education is to travel. Sys admin Charly went to Oberhausen, Germany, for the OpenRhineRuhr fair last week.

    more »
comments powered by Disqus