Hacker News new | past | comments | ask | show | jobs | submit login

I'm not sure about the mechanics of this, but at a minimum the webserver probably has access to the HTTPS private key for the subdomain, or at least has it in memory, since the request is shown to be running over HTTPS.



Reading the memory of another process is not allowed on modern OS for precisely that reason, so this would be another exploit. (http://en.wikipedia.org/wiki/Process_isolation) But the keys are most likely on disk, readable by the server ;).

Also, some setups are not prone to this: Twitter most likely uses an proxy terminating SSL and then forwards the request to a smaller webserver running the app. This one will not hold the keys.

Most larger webservers can also run the app workers with a different user than the webserver itself.


> Twitter most likely uses an proxy terminating SSL

https://en.wikipedia.org/wiki/SSL_termination_proxy


All web servers I've seen open the key files before dropping root privileges. These should never be readable by anything but root.


> Reading the memory of another process is not allowed on modern OS for precisely that reason, so this would be another exploit.

both Linux and Windows allow processes to read the memory of other processes running as the same user, via ptrace() and /proc/pid/mem on Linux, and via ReadProcessMemory() on Windows.

(how else could you ever debug anything?)


Yes, but PTRACE can be disallowed by the process and behaves differently on some kernels, e.g. Ubuntu hardened:

https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening... https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

They usually only allow ptrace from parent to child or as root.

Also, wrt debugging, see the comment in the second link:

> If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.


ReadProcessMemory() requires the process to have debug privileges.

(how else could you ever secure anything?)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: