[Bug 480783] Re: Eucalyptus does not allow api connection over https
Neil Soman
neilsoman at gmail.com
Mon Nov 16 17:27:37 GMT 2009
"As they carry QueryID/SecretKey in clear, anyone that can sniff the
network can gain admin privileges on eucalyptus."
This assertion is incorrect. The secret is never sent in the clear. A
replay attack is possible and its gravity will depend on the specific
operation that is replayed.
Chris Jones is correct. There is a workaround for this however which
involves explicitly trusting the cert, which depending on the client may
or may not be a manual step.
Eucalyptus upstream will fix this in the next release.
thanks.
--
Eucalyptus does not allow api connection over https
https://bugs.launchpad.net/bugs/480783
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.
More information about the Ubuntu-server-bugs
mailing list