Hacker News new | ask | show | jobs
by drakaal 4451 days ago
Just one example, but this is a typical setup.

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/serv...

I don't suggest doing the Clear Text between server and proxy, but the idea is the same. You use a proxy so that you don't ever have user names or passwords in memory longer than a few ms.

Once a user is authenticated data passes through quickly making it very very difficult to do a fingerprint match of the data you do extract.

Also because you can load balance across proxies you may not even hit the same machine with a second "hear beat".

The Cert still has to be there somewhere, so you could still end up giving up a cert, and you could give away anything that fits on a single HTML page as it is flying by in the stream... But most sites know better than to display a password, or a username and a bank account number at the same time (not all, but most).

Heart Bleed is more of an issue because too many people built monoliths, rather than compartmentalizing. The Titanic didn't sink because it was compartmentalized, it sank because the man at the Wheel didn't know to let one compartment take all of the force, and instead spread it over a larger surface.

Your proxy should be disposable. Nothing of value should be on the thing that talks to the user, and shouldn't retain data for any length of time.
1 comments
nl 4451 days ago
This is a great example of why a little knowledge is a bad thing. It almost sounds like you know what you are talking about, which probably confuses people.

Heartbleed is dangerous because it exposes private keys, and that let's you decrypt SSL traffic. That in turn may let you read passwords.

Don't conflate the two separate things.

Compartmentizing is good, but doesn't protect against Heartbleed.

Disposable proxies don't protect you.

Perfect Forward Secrecy does protect you because the private keys aren't reused. It is notable that you didn't mention the one technique that actually helps.

To me that shows you misunderstand what heartbleed is. Some if your critisms of OpenSSL are valid, but not for the reasons you claim.

link
drakaal 4449 days ago
The Private key thing is "bad" but far less bad than the user data that is being exposed.

The Private Key Exposure lets you do impersonation, but you would have to do something with DNS, or such to get it to work. Where as me getting your user/pass, or account information has immediate impact, and can't be "undone".

PS Conflate doesn't mean what you think it does. Conflate has to be wrapper for several topics or ideas that are related.

I can't "conflate" two unrelated things because conflation is by default "true". If we were discussing Gentrification, and Inflation in the housing market of San Francisco then we be talking about the conflated issue of "The San Francisco Housing Crisis".

Just as you can't "inflate" something with a vacuum or sand, or peanut butter, you can't conflate it with something that is unrelated.

This issue of the understanding of the word conflate comes from the fact that people think that "confused" sounds so much like it, and when they are trying to sound smart they use the word conflate when they really mean confuse, and think the two are synonyms.

-Brandon Wirtz

PlexiNLP (I know my words)

link
ksenzee 4449 days ago
"Conflate" is very often, and properly, used to mean "treating two unrelated things as though they were related," which I believe is exactly what the poster meant to say you are doing. You can make an argument that "trying to conflate" would be more accurate, but only if you're more of a linguistic prescriptivist than most editors.
link