freebsd security - May 2005 - different ways to disable https in apache...

Hello,

I built apache+openssl+mod_ssl.  It is working fine,
and I have been starting the server with:

apachectl startssl

Recently, however, I have decided that I will not be
doing anything over https (for a while, at least) with
this web server, so for security reasons, I want to
only run on port 80.

So now I start the server with:

apachectl start

And it runs without SSL.  My question is, is starting
the SSl enabled apache like this, and running it
without SSL exactly the same security-wise as running
a copy of apache without SSL at all ?  That is, SSL
libraries, etc., can have vulnerabilities in them, and
am I still vulnerable to those problems even if I am
running only on port 80 ?

What kinds of attacks might I _not_ be insulating
myself against by simply not running SSL, vs.
reinstalling without it ?

thanks,


		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail

What kinds of attacks might I _not_ be insulating
myself against by simply not running SSL, vs.
reinstalling without it ?

A quick one;
SSL as you know encrypts that link and makes it secure,hence the
'handshake' name so without this, you are opening your port 80 to any
connection,that is bottom line.

If you look at i on a 'grande' scale it aint such a big deal, for some
people it would be seen as a no, but then how many sites do you see
running Only SSL clients? Not many.... it all depends on who you want
to attract.
My opinion - depending on your confidence in your own web skills, and
your familiarity with apache itself i would use it and monitor port 80
alot more than previous, also note your traffice will most likely
increase.
As for actual exploitations, i cannot disclose that information
simply, but it will always be vulnerable without a vigilant web admin
anyhow, i say go for it.
Regards,
Drew.

On 5/14/05, Joe Schmoe <non_secure@yahoo.com>
wrote:
> Hello,
> 
> I built apache+openssl+mod_ssl.  It is working fine,
> and I have been starting the server with:
> 
> apachectl startssl
> 
> Recently, however, I have decided that I will not be
> doing anything over https (for a while, at least) with
> this web server, so for security reasons, I want to
> only run on port 80.
> 
> So now I start the server with:
> 
> apachectl start
> 
> And it runs without SSL.  My question is, is starting
> the SSl enabled apache like this, and running it
> without SSL exactly the same security-wise as running
> a copy of apache without SSL at all ?  That is, SSL
> libraries, etc., can have vulnerabilities in them, and
> am I still vulnerable to those problems even if I am
> running only on port 80 ?
> 
> What kinds of attacks might I _not_ be insulating
> myself against by simply not running SSL, vs.
> reinstalling without it ?
> 
> thanks,
> 
> __________________________________
> Yahoo! Mail Mobile
> Take Yahoo! Mail with you! Check email on your mobile phone.
> http://mobile.yahoo.com/learn/mail
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
> 

-- 
--------------------------------------------------------------------
Drew B.
Independant Security analysis,for Aussies.
Security researcher/expert,threat-focus,Freelance.

> My question is, is starting the SSl enabled apache like this, and 
> running it without SSL exactly the same security-wise as running a copy 
> of apache without SSL at all ?
no, it is certainly not exactly the same.  as you note, you will still 
link against the openssl libraries, and even though you won't be directly 
calling functions in them, I can certainly imagine an exploit that could 
take advantage of their availability.

more importantly, mod_ssl modifies the apache module api, since the 
standard api in 1.3 was not powerful enought for ssl to just drop in like 
other modules - so the internal architecture of a mod_ssl/eapi-enabled 
apache will be noticeably different from that of a normal apache, even if 
all ssl functionality is disabled.

bottom line is, even if ssl functionality is turned off, it's still in 
there, and it increases the complexity of the server significantly.  and 
increased complexity almost always means decreased security.  if you're 
not using it, and don't have immediate plans to use it, don't build it.


  -Jason