cookies and internet

[tony@REDACTED]

Lon Willett wrote:

> At 11:23 12/07/01, taesch wrote:
>
>
> But really, if I understand what you're asking, then the answer is 
> that, by design, this is outside the scope of what Erlang/OTP 
> specifies.  And with the current Erlang/OTP communications model 
> (where the cookie is sent in the clear anyway), one needn't be too 
> careful with it, but shouldn't be careless either (e.g. ftp is 
> probably fine for transporting it, but be sure that the file 
> protection is set appropriately on the systems where it is stored).

The cookie is not sent in the clear!
Not since open source erlang anyway. The cookie may be generated or 
pasted in
by hand either in the .erlang.cookie file or from the command line 
-setcookie <cookie>

When a node connectes with another node, a challenge is sent from the 
node connected.
Then it expects the challenge+cookie md5 sum as return (i.e not in the 
clear).
After that the connection is ready to be hijacked ;-)

>
>> generally, have any study made in this area ? mail postst ? paper ?
>
>
> You can check out the Safe Erlang project at 
> http://www.ericsson.se/cslab/~dan/proj/safeerlang .  This is an 
> ambitious attempt to add capabilities based access-control and secure 
> communications to erlang, but I believe that it is still experimental 
> at this time.  I also seem to recall hearing rumours that someone made 
> the erlang communications run over SSL, but this might be mistaken.

I hope we soon can run distribution over SSL.

>
> I've been intending to implement a simple version of cryptographically 
> secured communications for Erlang/OTP, but haven't found the time.  If 
> someone else is working on this (or wants to), then I'd be happy to 
> share my ideas.  There are some subtle problems involved in setting up 
> such a scheme.
>
> I hope this helps.

I think SSL is the simple way forward.

/Tony