[Maas-devel] State of RPC registration and security #2

Fri Oct 10 11:33:35 UTC 2014

On Fri, Oct 10, 2014 at 12:52 PM, Gavin Panella <gavin.panella at canonical.com
> wrote:

> On 10 October 2014 11:04, Andres Rodriguez <...> wrote:
> ...
> > What was discussed this week is that the cluster page should be able
> > to generate a token and use that token to tell the cluster to register
> > to the region. We can have a show shared secret or token that will be
> > used for registration. The command line should also be there but also
> > UI.
>
> Yeah, we discussed that earlier this week, but I've had time to think
> since then. Transmitting the secret over the network even for the web UI
> seriously diminishes the trust we can place in that secret. I think we
> should discuss this before doing it, because once it's done it can't be
> undone.
>

The data that is sent from the cluster to the region is already not
encrypted so you could just sniff that connection and get that key, so that
is already insecure. Also since we serve the web UI over http and not
https, makes logging it just as easy to sniff the username and password to
login as admin to make any changes you want. Showing the token in the WebUI
is just as insecure as allowing someone to login without https. If you want
security we need to redirect all web traffic to https.

>
> ...
> > What was discussed this week was essentially creating a token on the
> > Region Cluster Page, and use that token to register the cluster with
> > the region. The shared secret seems to be this token for the time
> > being. Right?
>
> It is that token, yes.
>
> --
> Mailing list: https://launchpad.net/~maas-devel
> Post to     : maas-devel at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~maas-devel
> More help   : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20141010/6a50e22d/attachment.html>