[Maas-devel] State of RPC registration and security #2

Gavin Panella gavin.panella at canonical.com
Fri Oct 10 12:35:57 UTC 2014 

On 10 October 2014 12:33, Blake Rouse <blake.rouse at canonical.com> wrote:
> The data that is sent from the cluster to the region is already not
> encrypted so you could just sniff that connection and get that key, so
> that is already insecure.

As of today, in trunk, the secret is not transmitted over the network,
so sniffing won't yield it. Traffic is still in the clear by default,
and auth is done only once per TCP connection, so there are weaknesses
there.

However, we can still place trust in the key. When the time comes to
distribute TLS certificates we can use that trust to decide whether or
not to, say, sign a CSR from a cluster (the cluster would "sign" the CSR
with the shared key, the region can check it, then sign the CSR). This
means we don't have to have another disruptive upgrade experience.

> Also since we serve the web UI over http and not https, makes logging
> it just as easy to sniff the username and password to login as admin
> to make any changes you want. Showing the token in the WebUI is just
> as insecure as allowing someone to login without https. If you want
> security we need to redirect all web traffic to https.

Agreed.

We /could/ only show the token to admins over HTTPS? That probably won't
help the majority of users though.

We /could/ use Diffie-Hellman key exchange to establish the shared key
between the region and a cluster, but it doesn't establish *trust*
between them. The region still has no idea if it's talking to the
cluster, or to someone hiding in the cupboard. Something still has to
happen to establish that trust.

Seeing as I know very little about Diffie-Hellman and didn't have time
to learn I chose to stay away from that, and incorporate the out-of-band
trust-establishment process into the key "exchange".

Cluster registration is not a common activity for end users. It feels
disproportionately painful to us because we're setting MAAS up and
tearing it down a lot, but having to do a one-off installation of a
secret key out-of-band doesn't strike me as a deal breaker for most
people. I also bet that most people will have cluster and region on the
same host, and so they won't have to copy any keys anyway.

More information about the Maas-devel mailing list