There's a constant struggle between security and ease of use. This is the first of a series of examples describing the problem in the status quo, and the simple solution with PriVerify and why it matters.

Apache mod_ssl connection to SECF

Problem: Most distributions are configured to set the seeding of all https (HTTP over SSL/TLS) cryto using VERY LOW entropy sources. This means that while you may have 0 bugs / vulnerabilities in any other code/config, that every https connection, that every web page, every piece of data contained therein -- is potentially TRIVIAL for even a semi-skilled bad actor.

Why do they do this? Because the alternative is to (in absense of PriVerify's SECF solution), have your servers slow or never to start and slow or never to successfully serve requests. So, instead of fixing the problem, it is swept under the rug.

From the Apache mod_ssl documentation:

"But be careful: Usually /dev/random provides only as much entropy data as it actually has, i.e. when you request 512 bytes of entropy, but the device currently has only 100 bytes available two things can happen: On some platforms you receive only the 100 bytes while on other platforms the read blocks until enough bytes are available (which can take a long time). Here using an existing /dev/urandom is better, because it never blocks and actually gives the amount of requested data. The drawback is just that the quality of the received data may not be the best."

The PriVerify Solution

Foundation First. Instead of leaving the biggest challenges to afterthought, PriVerify already has built its Simple Extensible Comprehensive Foundation (SECF) and is delivering service to a number of platforms, already in its 3rd production release.

After installing SECF (takes just a few minutes) to a Linux server, you can then change your Apache configuration file to replace the two or more existing lines ('SSLRandomSeed startup' and 'SSLRandomSeed connect') with the following:

SSLRandomSeed startup egd:/var/run/egd-pool
SSLRandomSeed connect egd:/var/run/egd-pool

The above assumes that your Apache / Linux Security Framework (ie AppArmor) is allowed to access /var/run/egd-pool which is the local UNIX domain socket created by PriVerify secfd which speaks the 'egd' protocol for local application clients.

SSLRandomSeed startup /dev/random
SSLRandomSeed connect /dev/random

PriVerify is built for enterprises and businesses who use IoT and Linux in general (cloud or on-prem) who value the integrity of their data. Learn more or contact the experts directly.

Topics

© 2021 PriVerify Corp. All Rights Reserved.