An Anonymous Coward writes in to tell us about sightings of secrets-related privsep in the wild:
The developer known by the pseudonym insane coder, who authored the popular pro-LibreSSL review LibreSSL: The good and the bad, has presented a solution for preventing common coding mistakes resulting in another Heartbleed:
To protect against exploiting such bugs, one should ensure that buffer overflows do not have access to memory containing private data. The memory containing private keys and similar kinds of data should be protected, meaning nothing should be allowed to read from them, not even the web server itself.
He then talks about using memory protection and process separation to isolate a server's private keys from anything which can be exploited to send them over the network.This technique has already been utilized in an stunnel-like server, and it remains to be seen when others will follow.
Thanks for the tip, Anonymous Coward!Astute readers will note that this technique has
already
been
utilized
in relayd(8) and smtpd(8).
Ссылка: http://undeadly.org/cgi?action=article&sid=20140526133341