[Ach] titus - Totally Isolated TLS Unwrapping Server by Andrew Ayer

Thomas Preissler thomas at preissler.co.uk
Sun Mar 15 10:05:38 CET 2015

Dear all,

some while back I came across titus - 
Totally Isolated TLS Unwrapping Server (https://www.opsmate.com/titus/).
(from the same guy running SSLMate).

In a nutshell: This is basically a SSL proxy implementing private key
isolation and private key privilege separation.

I love the idea, mostly because it takes the onerous away that your
backend application has to support SSL/TLS. It also helps what I
understand to improve the security of the private key - obviously only
on a network level, not on a local level.

I am inclined to use this, as I like the idea. I have not read much
about this thing anywhere, do you guys have any experience or opinion on

I am asking more from a crypto angle, than from a "just" sysadmin angle
(it is just yet another service, that's all for me). (Don't get me
wrong, I am also not asking for a source code audit.)

More technical details here
* https://securityblog.redhat.com/2014/06/18/openssl-privilege-separation-analysis/
* https://www.agwa.name/blog/post/protecting_the_openssl_private_key_in_a_separate_process
* https://www.agwa.name/blog/post/titus_isolation_techniques_continued



www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint:  CCBD 153A D257 CA7E A217  FDF7 5928 03D1 7588 9415

More information about the Ach mailing list