[erlang-questions] YAWS with SSL Connections Problem
Valentin Micic
v@REDACTED
Wed Oct 21 00:54:48 CEST 2009
> If clear text communication between the erlang vm and
> the ssl_esock over the loopback interface is an issue,
> then I suppose you might also want to secure the erlang
> inter-node communication, if you run a distributed
> system, and maybe you would also want to take measures
> against someone reading the memory image of the erlang
> vm os-process, or against someone reading the swap.
Let's not get carried away here -- it is one thing to run a snoop on a
socket that carries HTTPS request as a clear text, and completely different
to try to understand Erlang encoded traffic that is multiplexed over a
single socket. Barrier to entry is much higher, and, as a consequence you
can round-up fewer suspects :-)
>> I've always assumed that SSL support is tightly coupled with linked-in
>> driver, hence not exposing anything via clear text (well other than
>> user-level function call).
> From this point of view, the new ssl implementation
> has an advantage over the old: it doesn't use any
> ssl_esock, but handles the SSL protocol entirely within
> the erlang vm, as far as I've understood.
I am very glad to hear that (if this is indeed the case).
> Are there any users of the new ssl implementation, or
> if not, what are the major show-stoppers?
Usually, it is very difficult to motivate a new implementation (especially
if it is advertised as alpha) in a commercial environment -- auditors would
consider it as a major risk. Issues are rarely technical; however, when a
technical issue may be exploited to further some political goal, it
invariably is.
Regards
V/
More information about the erlang-questions
mailing list