[AusNOG] Maximum users per AP

Mark Delany g2x at juliet.emu.st
Sat Oct 27 11:20:51 EST 2012

> P.S. I would have thought that creating dynamic certificates on the fly 
> would be too processor intensive for all but the smallest sites...

No reason not to pregen and cache small key-length certs for the top
20 sites.

Or pregen one set of primes and use the same primes for each generated
cert, then the only dynamic function is the CA sign. Heck, you don't
even really need (pseudo) primes from an algorithmic perspective, so
the MiTM can just use any numbers at hand.

Given that you are already breaking the intent of SSL, using weak keys
and common (or non-) primes is hardly a big security concern.

Besides, even with 1,000 users it's hard to imagine more than one or
two new HTTPS sites per second once the top 20 are in place. That's
not much of a CP demand.

It's not quite clear to me how this all works if the SSL connection
validates client-side certs, but that's pretty rare excepting the
smarties that BitTorrent via SSL VPNs to avoid you MiTM party-poopers.


More information about the AusNOG mailing list