[Bug 480783] Re: Eucalyptus does not allow api connection over https

Soren Hansen soren at ubuntu.com
Mon Nov 16 18:34:11 GMT 2009


On Mon, Nov 16, 2009 at 05:27:37PM -0000, Neil Soman wrote:
> This assertion is incorrect. The secret is never sent in the clear. A
> replay attack is possible and its gravity will depend on the specific
> operation that is replayed.

The hash computed by the client includes a time stamp and a time of
expiry, so it's only vulnerable to a replay attack for a limited time.

Also, the hash is specific to the request (the contents of the request
is part of the hash calculation), so if someone were to intercept it and
try to use it, they would only be able to perform operations the user
already intended to perform. If Eucalyptus were to keep track of hashes
and reject an already seen hash (naturally expiring them as time
passes), this vulnerability should be entirely mitigated, as far as I
can see.

-- 
Eucalyptus does not allow api connection over https
https://bugs.launchpad.net/bugs/480783
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.



More information about the Ubuntu-server-bugs mailing list