Comment 5 for bug 480783
Revision history for this message
| Soren Hansen (soren) wrote Re: [Bug 480783] Re: Eucalyptus does not allow api connection over https | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
On Mon, Nov 16, 2009 at 05:27:37PM -0000, Neil Soman wrote:
> This assertion is incorrect. The secret is never sent in the clear. A
> replay attack is possible and its gravity will depend on the specific
> operation that is replayed.
The hash computed by the client includes a time stamp and a time of
expiry, so it's only vulnerable to a replay attack for a limited time.
Also, the hash is specific to the request (the contents of the request
is part of the hash calculation), so if someone were to intercept it and
try to use it, they would only be able to perform operations the user
already intended to perform. If Eucalyptus were to keep track of hashes
and reject an already seen hash (naturally expiring them as time
passes), this vulnerability should be entirely mitigated, as far as I
can see.