[erlang-questions] YAWS with SSL Connections Problem

[Valentin Micic]

> If clear text communication between the erlang vm and
> the ssl_esock over the loopback interface is an issue,
> then I suppose you might also want to secure the erlang
> inter-node communication, if you run a distributed
> system, and maybe you would also want to take measures
> against someone reading the memory image of the erlang
> vm os-process, or against someone reading the swap.

Let's not get carried away here -- it is one thing to run a snoop on a
socket that carries HTTPS request as a clear text, and completely different
to try to understand Erlang encoded traffic that is multiplexed over a
single socket. Barrier to entry is much higher, and, as a consequence you
can round-up fewer suspects :-)

>> I've always assumed that SSL support is tightly coupled with linked-in
>> driver, hence not exposing anything via clear text (well other than
>> user-level function call).

> From this point of view, the new ssl implementation
> has an advantage over the old: it doesn't use any
> ssl_esock, but handles the SSL protocol entirely within
> the erlang vm, as far as I've understood.

I am very glad to hear that (if this is indeed the case).

> Are there any users of the new ssl implementation, or
> if not, what are the major show-stoppers?

Usually, it is very difficult to motivate a new implementation (especially
if it is advertised as alpha) in a commercial environment -- auditors would
consider it as a major risk. Issues are rarely technical; however, when a
technical issue may be exploited to further some political goal, it
invariably is. 

Regards

V/